diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2016-05-12 13:00:33 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2016-05-12 13:00:33 -0700 |
| commit | 02c9c0e9b9d9e26f56aa74245c1a5a843878f899 (patch) | |
| tree | 468b04a85175934166c656e67615991ab9e3af32 | |
| parent | e5ad8b6d1ef82a83b1469fe66e40e06f07f46222 (diff) | |
| parent | 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa (diff) | |
Merge tag 'keys-fixes-20160512' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
Pull keyring fix from David Howells:
"Fix ASN.1 indefinite length object parsing"
* tag 'keys-fixes-20160512' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
KEYS: Fix ASN.1 indefinite length object parsing
| -rw-r--r-- | lib/asn1_decoder.c | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c index 2b3f46c049d4..554522934c44 100644 --- a/lib/asn1_decoder.c +++ b/lib/asn1_decoder.c @@ -74,7 +74,7 @@ next_tag: /* Extract a tag from the data */ tag = data[dp++]; - if (tag == 0) { + if (tag == ASN1_EOC) { /* It appears to be an EOC. */ if (data[dp++] != 0) goto invalid_eoc; @@ -96,10 +96,8 @@ next_tag: /* Extract the length */ len = data[dp++]; - if (len <= 0x7f) { - dp += len; - goto next_tag; - } + if (len <= 0x7f) + goto check_length; if (unlikely(len == ASN1_INDEFINITE_LENGTH)) { /* Indefinite length */ @@ -110,14 +108,18 @@ next_tag: } n = len - 0x80; - if (unlikely(n > sizeof(size_t) - 1)) + if (unlikely(n > sizeof(len) - 1)) goto length_too_long; if (unlikely(n > datalen - dp)) goto data_overrun_error; - for (len = 0; n > 0; n--) { + len = 0; + for (; n > 0; n--) { len <<= 8; len |= data[dp++]; } +check_length: + if (len > datalen - dp) + goto data_overrun_error; dp += len; goto next_tag; |