Merge tag 'keys-fixes-20160512' of git://git.kernel.org/pub/scm/linux…

…/kernel/git/dhowells/linux-fs Pull keyring fix from David Howells: "Fix ASN.1 indefinite length object parsing" * tag 'keys-fixes-20160512' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs: KEYS: Fix ASN.1 indefinite length object parsing
mariux64 · May 12, 2016 · 02c9c0e · 02c9c0e
2 parents e5ad8b6 + 23c8a81
commit 02c9c0e
Showing 1 changed file with 9 additions and 7 deletions.
diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c
@@ -74,7 +74,7 @@ static int asn1_find_indefinite_length(const unsigned char *data, size_t datalen
 
 	/* Extract a tag from the data */
 	tag = data[dp++];
-	if (tag == 0) {
+	if (tag == ASN1_EOC) {
 		/* It appears to be an EOC. */
 		if (data[dp++] != 0)
 			goto invalid_eoc;
@@ -96,10 +96,8 @@ static int asn1_find_indefinite_length(const unsigned char *data, size_t datalen
 
 	/* Extract the length */
 	len = data[dp++];
-	if (len <= 0x7f) {
-		dp += len;
-		goto next_tag;
-	}
+	if (len <= 0x7f)
+		goto check_length;
 
 	if (unlikely(len == ASN1_INDEFINITE_LENGTH)) {
 		/* Indefinite length */
@@ -110,14 +108,18 @@ static int asn1_find_indefinite_length(const unsigned char *data, size_t datalen
 	}
 
 	n = len - 0x80;
-	if (unlikely(n > sizeof(size_t) - 1))
+	if (unlikely(n > sizeof(len) - 1))
 		goto length_too_long;
 	if (unlikely(n > datalen - dp))
 		goto data_overrun_error;
-	for (len = 0; n > 0; n--) {
+	len = 0;
+	for (; n > 0; n--) {
 		len <<= 8;
 		len |= data[dp++];
 	}
+check_length:
+	if (len > datalen - dp)
+		goto data_overrun_error;
 	dp += len;
 	goto next_tag;