Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / android_kernel_shift_sdm845 / f58a08152ce4198a2a1da162b97ecf8264c24866^! / .
commitf58a08152ce4198a2a1da162b97ecf8264c24866[log] [tgz]
authorDmitry Kasatkin <dmitry.kasatkin@intel.com>Thu Jan 26 19:13:25 2012 +0200
committerJames Morris <jmorris@namei.org>Thu Feb 02 00:23:38 2012 +1100
treee430ef22210d8d6d41c0b7253978558a0f15f7a5
parentbc95eeadf5c6fd9e9840898a83a93718a0114b6d [diff]
lib/digsig: additional sanity checks against badly formated key payload

Added sanity checks for possible wrongly formatted key payload data:
- minimum key payload size
- zero modulus length
- corrected upper key payload boundary.

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Reviewed-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>

diff --git a/lib/digsig.c b/lib/digsig.c
index fd2402f..5d840ac 100644
--- a/lib/digsig.c
+++ b/lib/digsig.c

@@ -105,6 +105,10 @@
 
 	down_read(&key->sem);
 	ukp = key->payload.data;
+
+	if (ukp->datalen < sizeof(*pkh))
+		goto err1;
+
 	pkh = (struct pubkey_hdr *)ukp->data;
 
 	if (pkh->version != 1)
@@ -117,7 +121,7 @@
 		goto err1;
 
 	datap = pkh->mpi;
-	endp = datap + ukp->datalen;
+	endp = ukp->data + ukp->datalen;
 
 	for (i = 0; i < pkh->nmpi; i++) {
 		unsigned int remaining = endp - datap;
@@ -128,7 +132,8 @@
 	mblen = mpi_get_nbits(pkey[0]);
 	mlen = (mblen + 7)/8;
 
-	err = -ENOMEM;
+	if (mlen == 0)
+		goto err;
 
 	out1 = kzalloc(mlen, GFP_KERNEL);
 	if (!out1)