Commit d6a2cf07 authored by Linus Torvalds's avatar Linus Torvalds

Merge branch 'fixes-v4.14-rc8' of...

Merge branch 'fixes-v4.14-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull key handling fix from James Morris:
 "Fix by Eric Biggers for the keys subsystem"

* 'fixes-v4.14-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2]
parents f7dc4c9a 624f5ab8
...@@ -228,7 +228,7 @@ int asn1_ber_decoder(const struct asn1_decoder *decoder, ...@@ -228,7 +228,7 @@ int asn1_ber_decoder(const struct asn1_decoder *decoder,
hdr = 2; hdr = 2;
/* Extract a tag from the data */ /* Extract a tag from the data */
if (unlikely(dp >= datalen - 1)) if (unlikely(datalen - dp < 2))
goto data_overrun_error; goto data_overrun_error;
tag = data[dp++]; tag = data[dp++];
if (unlikely((tag & 0x1f) == ASN1_LONG_TAG)) if (unlikely((tag & 0x1f) == ASN1_LONG_TAG))
...@@ -274,7 +274,7 @@ int asn1_ber_decoder(const struct asn1_decoder *decoder, ...@@ -274,7 +274,7 @@ int asn1_ber_decoder(const struct asn1_decoder *decoder,
int n = len - 0x80; int n = len - 0x80;
if (unlikely(n > 2)) if (unlikely(n > 2))
goto length_too_long; goto length_too_long;
if (unlikely(dp >= datalen - n)) if (unlikely(n > datalen - dp))
goto data_overrun_error; goto data_overrun_error;
hdr += n; hdr += n;
for (len = 0; n > 0; n--) { for (len = 0; n > 0; n--) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment