From 7531c0068e7f1ad367b12dbf4e51766f09f9baee Mon Sep 17 00:00:00 2001
From: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Date: Thu, 26 Jan 2012 19:13:25 +0200
Subject: [PATCH] --- yaml --- r: 287113 b: refs/heads/master c:
 f58a08152ce4198a2a1da162b97ecf8264c24866 h: refs/heads/master i:   287111:
 e442254218c12ba98f3edb811c963ed9f519ace3 v: v3

---
 [refs]             | 2 +-
 trunk/lib/digsig.c | 9 +++++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/[refs] b/[refs]
index 872bda50364b..6f073abb5ff4 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: bc95eeadf5c6fd9e9840898a83a93718a0114b6d
+refs/heads/master: f58a08152ce4198a2a1da162b97ecf8264c24866
diff --git a/trunk/lib/digsig.c b/trunk/lib/digsig.c
index fd2402f67f89..5d840ac64fb1 100644
--- a/trunk/lib/digsig.c
+++ b/trunk/lib/digsig.c
@@ -105,6 +105,10 @@ static int digsig_verify_rsa(struct key *key,
 
 	down_read(&key->sem);
 	ukp = key->payload.data;
+
+	if (ukp->datalen < sizeof(*pkh))
+		goto err1;
+
 	pkh = (struct pubkey_hdr *)ukp->data;
 
 	if (pkh->version != 1)
@@ -117,7 +121,7 @@ static int digsig_verify_rsa(struct key *key,
 		goto err1;
 
 	datap = pkh->mpi;
-	endp = datap + ukp->datalen;
+	endp = ukp->data + ukp->datalen;
 
 	for (i = 0; i < pkh->nmpi; i++) {
 		unsigned int remaining = endp - datap;
@@ -128,7 +132,8 @@ static int digsig_verify_rsa(struct key *key,
 	mblen = mpi_get_nbits(pkey[0]);
 	mlen = (mblen + 7)/8;
 
-	err = -ENOMEM;
+	if (mlen == 0)
+		goto err;
 
 	out1 = kzalloc(mlen, GFP_KERNEL);
 	if (!out1)