Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'keys-fixes-20160512' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
Pull keyring fix from David Howells:
"Fix ASN.1 indefinite length object parsing"
* tag 'keys-fixes-20160512' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
KEYS: Fix ASN.1 indefinite length object parsing
+9
-7
+9
-7
lib/asn1_decoder.c
+9
-7
lib/asn1_decoder.c
···
74
74
75
75
/* Extract a tag from the data */
76
76
tag = data[dp++];
77
-
if (tag == 0) {
77
+
if (tag == ASN1_EOC) {
78
78
/* It appears to be an EOC. */
79
79
if (data[dp++] != 0)
80
80
goto invalid_eoc;
···
96
96
97
97
/* Extract the length */
98
98
len = data[dp++];
99
-
if (len <= 0x7f) {
100
-
dp += len;
101
-
goto next_tag;
102
-
}
99
+
if (len <= 0x7f)
100
+
goto check_length;
103
101
104
102
if (unlikely(len == ASN1_INDEFINITE_LENGTH)) {
105
103
/* Indefinite length */
···
108
110
}
109
111
110
112
n = len - 0x80;
111
-
if (unlikely(n > sizeof(size_t) - 1))
113
+
if (unlikely(n > sizeof(len) - 1))
112
114
goto length_too_long;
113
115
if (unlikely(n > datalen - dp))
114
116
goto data_overrun_error;
115
-
for (len = 0; n > 0; n--) {
117
+
len = 0;
118
+
for (; n > 0; n--) {
116
119
len <<= 8;
117
120
len |= data[dp++];
118
121
}
122
+
check_length:
123
+
if (len > datalen - dp)
124
+
goto data_overrun_error;
119
125
dp += len;
120
126
goto next_tag;
121
127