Received: by 10.223.185.116 with SMTP id b49csp6312598wrg; Wed, 28 Feb 2018 07:24:18 -0800 (PST) X-Google-Smtp-Source: AH8x2266tBfkBPIuxM/eVPpLPI+EjUlJPV0DNORcp/ShzH2Ek9ssWoH8R9G5zekHUDLvWBlse+uq X-Received: by 10.101.68.82 with SMTP id e18mr14420719pgq.329.1519831458879; Wed, 28 Feb 2018 07:24:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519831458; cv=none; d=google.com; s=arc-20160816; b=Na6zNewVlE0U/MlwCwMMoGSkXjwyoQdrdH4kX4RFCDVtQmy2t+P8ArhnBdVSJucUGT OkjAc3PLIheWlC+pIR2n9IOWRREc20fp/PiEuDNyEFz9JgDEAZLHikPnD69dsUtPTU/A s90YuaOw8P1uZNNRa45KvENvFl6C61ETSLV//zd7v6lHf65bHqVZ2nbIirSTVxMzEPxI VPaPLFLwkOgaDx9Kg1EbR3lhNGcTjMMRyR86jojgjGnF4wi2u6I015WmfC2pbUVw5U/N ueC1DsvZaMSjDiIvl09aF9l5WC3fQFRam9ayYU6ZFiEq2fNHDddD7eQcjDerhime4/Ba AhUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=lw480g0p728cFqvjq0NX/84SMjtp4+SYO/ZCZoGewHo=; b=yNtpobyOJOHFCozL/HW6YvJeNTgR6ZM0m2ENvbd52cvn67yXK145GHhvGvcenbRHnp LhWA0YcVP7NQxr84rYco431PW+REJIBobEq8KmnUQQFhPJ1hJnVNOlJ1zQbYSFsXZEX+ Nvu3dsYDEgVIXpFkZV5OEUcioXhx+MUD1Ob4x7fvIpWo6K9QWDbOgqcla6sxYpF5Pe43 27UXy0nGgY61mp55tbs4JkUrhKenT4MAdSRBYdNa703jQ/SQ032WDJC/A1Fv5q4XNuxt lR9UgnCe+K7EwFQRCyyLmbyf2YUIPcfl/wdtnjPlU0ml22gWb11afXvds1xozeYGXBBH GZlA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e13si1096423pgt.569.2018.02.28.07.24.03; Wed, 28 Feb 2018 07:24:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932734AbeB1PWt (ORCPT + 99 others); Wed, 28 Feb 2018 10:22:49 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:33210 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752631AbeB1PWc (ORCPT ); Wed, 28 Feb 2018 10:22:32 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1er3Yg-0006Xg-Jq; Wed, 28 Feb 2018 15:22:18 +0000 Received: from ben by deadeye with local (Exim 4.90_1) (envelope-from ) id 1er3Yf-0008TF-8c; Wed, 28 Feb 2018 15:22:17 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "James Morris" , "Takashi Iwai" , "Eric Biggers" , "David Howells" Date: Wed, 28 Feb 2018 15:20:18 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 075/254] X.509: fix buffer overflow detection in sprint_oid() In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.55-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Eric Biggers commit 47e0a208fb9d91e3f3c86309e752b13a36470ae8 upstream. In sprint_oid(), if the input buffer were to be more than 1 byte too small for the first snprintf(), 'bufsize' would underflow, causing a buffer overflow when printing the remainder of the OID. Fortunately this cannot actually happen currently, because no users pass in a buffer that can be too small for the first snprintf(). Regardless, fix it by checking the snprintf() return value correctly. For consistency also tweak the second snprintf() check to look the same. Fixes: 4f73175d0375 ("X.509: Add utility functions to render OIDs as strings") Cc: Takashi Iwai Signed-off-by: Eric Biggers Signed-off-by: David Howells Reviewed-by: James Morris Signed-off-by: Ben Hutchings --- lib/oid_registry.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- a/lib/oid_registry.c +++ b/lib/oid_registry.c @@ -120,10 +120,10 @@ int sprint_oid(const void *data, size_t n = *v++; ret = count = snprintf(buffer, bufsize, "%u.%u", n / 40, n % 40); + if (count >= bufsize) + return -ENOBUFS; buffer += count; bufsize -= count; - if (bufsize == 0) - return -ENOBUFS; while (v < end) { num = 0; @@ -141,9 +141,9 @@ int sprint_oid(const void *data, size_t } while (n & 0x80); } ret += count = snprintf(buffer, bufsize, ".%lu", num); - buffer += count; - if (bufsize <= count) + if (count >= bufsize) return -ENOBUFS; + buffer += count; bufsize -= count; }