• David Howells's avatar
    KEYS: Fix ASN.1 indefinite length object parsing · af00ae6e
    David Howells authored
    commit 23c8a812 upstream.
    
    This fixes CVE-2016-0758.
    
    In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
    it isn't validated against the remaining amount of data before being added
    to the cursor.  With a sufficiently large size indicated, the check:
    
    	datalen - dp < 2
    
    may then fail due to integer overflow.
    
    Fix this by checking the length indicated against the amount of remaining
    data in both places a definite length is determined.
    
    Whilst we're at it, make the following changes:
    
     (1) Check the maximum size of extended length does not exceed the capacity
         of the variable it's being stored in (len) rather than the type that
         variable is assumed to be (size_t).
    
     (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
         integer 0.
    
     (3) To reduce confusion, move the initialisation of len outside of:
    
    	for (len = 0; n > 0; n--) {
    
         since it doesn't have anything to do with the loop counter n.
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Reviewed-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
    Acked-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
    Acked-by: default avatarPeter Jones <pjones@redhat.com>
    Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    af00ae6e
asn1_decoder.c 12.5 KB