[PATCH] X.509: fix buffer overflow detection in sprint

linux-crypto.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] X.509: fix buffer overflow detection in sprint_oid()
@ 2017-11-27  7:17 Eric Biggers
  2017-11-27  8:34 ` James Morris
  0 siblings, 1 reply; 2+ messages in thread
From: Eric Biggers @ 2017-11-27  7:17 UTC (permalink / raw)
  To: keyrings, David Howells
  Cc: linux-crypto, Alexander Potapenko, Eric Biggers, Takashi Iwai

From: Eric Biggers <ebiggers@google.com>

In sprint_oid(), if the input buffer were to be more than 1 byte too
small for the first snprintf(), 'bufsize' would underflow, causing a
buffer overflow when printing the remainder of the OID.

Fortunately this cannot actually happen currently, because no users pass
in a buffer that can be too small for the first snprintf().

Regardless, fix it by checking the snprintf() return value correctly.

For consistency also tweak the second snprintf() check to look the same.

Fixes: 4f73175d0375 ("X.509: Add utility functions to render OIDs as strings")
Cc: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 lib/oid_registry.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/oid_registry.c b/lib/oid_registry.c
index 41b9e50711a7..5a75d127995d 100644
--- a/lib/oid_registry.c
+++ b/lib/oid_registry.c
@@ -120,10 +120,10 @@ int sprint_oid(const void *data, size_t datasize, char *buffer, size_t bufsize)
 
 	n = *v++;
 	ret = count = snprintf(buffer, bufsize, "%u.%u", n / 40, n % 40);
+	if (count >= bufsize)
+		return -ENOBUFS;
 	buffer += count;
 	bufsize -= count;
-	if (bufsize == 0)
-		return -ENOBUFS;
 
 	while (v < end) {
 		num = 0;
@@ -141,9 +141,9 @@ int sprint_oid(const void *data, size_t datasize, char *buffer, size_t bufsize)
 			} while (n & 0x80);
 		}
 		ret += count = snprintf(buffer, bufsize, ".%lu", num);
-		buffer += count;
-		if (bufsize <= count)
+		if (count >= bufsize)
 			return -ENOBUFS;
+		buffer += count;
 		bufsize -= count;
 	}
 
-- 
2.15.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] X.509: fix buffer overflow detection in sprint_oid()
  2017-11-27  7:17 [PATCH] X.509: fix buffer overflow detection in sprint_oid() Eric Biggers
@ 2017-11-27  8:34 ` James Morris
  0 siblings, 0 replies; 2+ messages in thread
From: James Morris @ 2017-11-27  8:34 UTC (permalink / raw)
  To: Eric Biggers
  Cc: keyrings, David Howells, linux-crypto, Alexander Potapenko,
	Eric Biggers, Takashi Iwai

On Sun, 26 Nov 2017, Eric Biggers wrote:

> 
> Fixes: 4f73175d0375 ("X.509: Add utility functions to render OIDs as strings")
> Cc: Takashi Iwai <tiwai@suse.de>
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>  lib/oid_registry.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)


Reviewed-by: James Morris <james.l.morris@oracle.com>


-- 
James Morris
<james.l.morris@oracle.com>

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2017-11-27  8:34 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-11-27  7:17 [PATCH] X.509: fix buffer overflow detection in sprint_oid() Eric Biggers
2017-11-27  8:34 ` James Morris

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).