KEYS: encrypted: fix buffer overread in valid_master_desc()
With the 'encrypted' key type it was possible for userspace to provide a data blob ending with a master key description shorter than expected, e.g. 'keyctl add encrypted desc "new x" @s'. When validating such a master key description, validate_master_desc() could read beyond the end of the buffer. Fix this by using strncmp() instead of memcmp(). [Also clean up the code to deduplicate some logic.] Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
This commit is contained in:
parent
e9ff56ac35
commit
794b4bc292
@ -141,23 +141,22 @@ static int valid_ecryptfs_desc(const char *ecryptfs_desc)
|
||||
*/
|
||||
static int valid_master_desc(const char *new_desc, const char *orig_desc)
|
||||
{
|
||||
if (!memcmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN)) {
|
||||
if (strlen(new_desc) == KEY_TRUSTED_PREFIX_LEN)
|
||||
goto out;
|
||||
if (orig_desc)
|
||||
if (memcmp(new_desc, orig_desc, KEY_TRUSTED_PREFIX_LEN))
|
||||
goto out;
|
||||
} else if (!memcmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN)) {
|
||||
if (strlen(new_desc) == KEY_USER_PREFIX_LEN)
|
||||
goto out;
|
||||
if (orig_desc)
|
||||
if (memcmp(new_desc, orig_desc, KEY_USER_PREFIX_LEN))
|
||||
goto out;
|
||||
} else
|
||||
goto out;
|
||||
int prefix_len;
|
||||
|
||||
if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN))
|
||||
prefix_len = KEY_TRUSTED_PREFIX_LEN;
|
||||
else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN))
|
||||
prefix_len = KEY_USER_PREFIX_LEN;
|
||||
else
|
||||
return -EINVAL;
|
||||
|
||||
if (!new_desc[prefix_len])
|
||||
return -EINVAL;
|
||||
|
||||
if (orig_desc && strncmp(new_desc, orig_desc, prefix_len))
|
||||
return -EINVAL;
|
||||
|
||||
return 0;
|
||||
out:
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
/*
|
||||
|
Loading…
Reference in New Issue
Block a user