lib/digsig: additional sanity checks against badly formated key payload
Added sanity checks for possible wrongly formatted key payload data: - minimum key payload size - zero modulus length - corrected upper key payload boundary. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Reviewed-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
Dmitry Kasatkin
James Morris
parent
bc95eeadf5
commit
f58a08152c
|
|
@ -105,6 +105,10 @@ static int digsig_verify_rsa(struct key *key,
|
|||
|
||||
down_read(&key->sem);
|
||||
ukp = key->payload.data;
|
||||
|
||||
if (ukp->datalen < sizeof(*pkh))
|
||||
goto err1;
|
||||
|
||||
pkh = (struct pubkey_hdr *)ukp->data;
|
||||
|
||||
if (pkh->version != 1)
|
||||
|
|
@ -117,7 +121,7 @@ static int digsig_verify_rsa(struct key *key,
|
|||
goto err1;
|
||||
|
||||
datap = pkh->mpi;
|
||||
endp = datap + ukp->datalen;
|
||||
endp = ukp->data + ukp->datalen;
|
||||
|
||||
for (i = 0; i < pkh->nmpi; i++) {
|
||||
unsigned int remaining = endp - datap;
|
||||
|
|
@ -128,7 +132,8 @@ static int digsig_verify_rsa(struct key *key,
|
|||
mblen = mpi_get_nbits(pkey[0]);
|
||||
mlen = (mblen + 7)/8;
|
||||
|
||||
err = -ENOMEM;
|
||||
if (mlen == 0)
|
||||
goto err;
|
||||
|
||||
out1 = kzalloc(mlen, GFP_KERNEL);
|
||||
if (!out1)
|
||||
|
|
|
|||
Loading…
Reference in New Issue