www.infradead.org Git - users/jedix/linux-maple.git/commit

author	David Howells <dhowells@redhat.com>
	Fri, 13 May 2016 01:08:52 +0000 (21:08 -0400)
committer	Chuck Anderson <chuck.anderson@oracle.com>
	Sun, 22 May 2016 15:47:11 +0000 (08:47 -0700)
commit	136b886e0408016e33a59d5cab8c07e51d978287
tree	c87bbc2285804bf4188ab786a039a7377ce6f4a9	tree
parent	45a0ab063ffa2fa5ba0e7214bd57ac555dec6c7c	commit \| diff

KEYS: Fix ASN.1 indefinite length object parsing
This fixes CVE-2016-0758.

Orabug: 23279563
CVE: CVE-2016-0758

In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
it isn't validated against the remaining amount of data before being added
to the cursor.  With a sufficiently large size indicated, the check:

datalen - dp < 2

may then fail due to integer overflow.

Fix this by checking the length indicated against the amount of remaining
data in both places a definite length is determined.

Whilst we're at it, make the following changes:

(1) Check the maximum size of extended length does not exceed the capacity
     of the variable it's being stored in (len) rather than the type that
     variable is assumed to be (size_t).

(2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
     integer 0.

(3) To reduce confusion, move the initialisation of len outside of:

for (len = 0; n > 0; n--) {
     since it doesn't have anything to do with the loop counter n.

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: David Woodhouse <David.Woodhouse@intel.com>
Acked-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>