lib/digsig: additional sanity checks against badly formated key payload

Added sanity checks for possible wrongly formatted key payload data: - minimum key payload size - zero modulus length - corrected upper key payload boundary. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Reviewed-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>

lib/digsig: additional sanity checks against badly formated key payload
Added sanity checks for possible wrongly formatted key payload data: - minimum key payload size - zero modulus length - corrected upper key payload boundary. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Reviewed-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
f58a0815 · Dmitry Kasatkin · James Morris · bc95eead · f58a0815
Commit f58a0815 authored Jan 26, 2012 by Dmitry Kasatkin Committed by James Morris Feb 02, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 2 deletions

lib/digsig.c lib/digsig.c +7 -2

No files found.
--- a/lib/digsig.c
+++ b/lib/digsig.c
@@ -105,6 +105,10 @@ static int digsig_verify_rsa(struct key *key,

 	down_read(&key->sem);
 	ukp = key->payload.data;
+
+	if (ukp->datalen < sizeof(*pkh))
+		goto err1;
+
 	pkh = (struct pubkey_hdr *)ukp->data;

 	if (pkh->version != 1)
@@ -117,7 +121,7 @@ static int digsig_verify_rsa(struct key *key,
 		goto err1;

 	datap = pkh->mpi;
-	endp = datap + ukp->datalen;
+	endp = ukp->data + ukp->datalen;

 	for (i = 0; i < pkh->nmpi; i++) {
 		unsigned int remaining = endp - datap;
@@ -128,7 +132,8 @@ static int digsig_verify_rsa(struct key *key,
 	mblen = mpi_get_nbits(pkey[0]);
 	mlen = (mblen + 7)/8;

-	err = -ENOMEM;
+	if (mlen == 0)
+		goto err;

 	out1 = kzalloc(mlen, GFP_KERNEL);
 	if (!out1)