Commit 02c9c0e9 authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'keys-fixes-20160512' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs

Pull keyring fix from David Howells:
 "Fix ASN.1 indefinite length object parsing"

* tag 'keys-fixes-20160512' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
  KEYS: Fix ASN.1 indefinite length object parsing
parents e5ad8b6d 23c8a812
......@@ -74,7 +74,7 @@ static int asn1_find_indefinite_length(const unsigned char *data, size_t datalen
/* Extract a tag from the data */
tag = data[dp++];
if (tag == 0) {
if (tag == ASN1_EOC) {
/* It appears to be an EOC. */
if (data[dp++] != 0)
goto invalid_eoc;
......@@ -96,10 +96,8 @@ static int asn1_find_indefinite_length(const unsigned char *data, size_t datalen
/* Extract the length */
len = data[dp++];
if (len <= 0x7f) {
dp += len;
goto next_tag;
}
if (len <= 0x7f)
goto check_length;
if (unlikely(len == ASN1_INDEFINITE_LENGTH)) {
/* Indefinite length */
......@@ -110,14 +108,18 @@ static int asn1_find_indefinite_length(const unsigned char *data, size_t datalen
}
n = len - 0x80;
if (unlikely(n > sizeof(size_t) - 1))
if (unlikely(n > sizeof(len) - 1))
goto length_too_long;
if (unlikely(n > datalen - dp))
goto data_overrun_error;
for (len = 0; n > 0; n--) {
len = 0;
for (; n > 0; n--) {
len <<= 8;
len |= data[dp++];
}
check_length:
if (len > datalen - dp)
goto data_overrun_error;
dp += len;
goto next_tag;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment