eCryptfs: parse_tag_3_packet check tag 3 packet encrypted key size The parse_tag_3_packet function does not check if the tag 3 packet contains a encrypted key size larger than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES. Signed-off-by: Ramon de Carvalho Valle <ramon@risesecurity.org> [tyhicks@linux.vnet.ibm.com: Added printk newline and changed goto to out_free] Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com> Cc: stable@kernel.org (2.6.27 and 30) Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit: f151cd2c54ddc7714e2f740681350476cda03a28 [log] [tgz]
author: Ramon de Carvalho Valle <ramon@risesecurity.org> Tue Jul 28 13:58:22 2009 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> Tue Jul 28 14:26:06 2009 -0700
tree: 81591bb25357c0d02a0549efadb62b67ba166434
parent: 6352a29305373ae6196491e6d4669f301e26492e [diff] [blame]
diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
index 5414253d..259525c 100644
--- a/fs/ecryptfs/keystore.c
+++ b/fs/ecryptfs/keystore.c

@@ -1303,6 +1303,13 @@
 	}
 	(*new_auth_tok)->session_key.encrypted_key_size =
 		(body_size - (ECRYPTFS_SALT_SIZE + 5));
+	if ((*new_auth_tok)->session_key.encrypted_key_size
+	    > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) {
+		printk(KERN_WARNING "Tag 3 packet contains key larger "
+		       "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n");
+		rc = -EINVAL;
+		goto out_free;
+	}
 	if (unlikely(data[(*packet_size)++] != 0x04)) {
 		printk(KERN_WARNING "Unknown version number [%d]\n",
 		       data[(*packet_size) - 1]);
commit	f151cd2c54ddc7714e2f740681350476cda03a28	[log] [tgz]
author	Ramon de Carvalho Valle <ramon@risesecurity.org>	Tue Jul 28 13:58:22 2009 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	Tue Jul 28 14:26:06 2009 -0700
tree	81591bb25357c0d02a0549efadb62b67ba166434
parent	6352a29305373ae6196491e6d4669f301e26492e [diff] [blame]