Merge tag 'keys-fixes-20160512' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs

Pull keyring fix from David Howells:
 "Fix ASN.1 indefinite length object parsing"

* tag 'keys-fixes-20160512' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
  KEYS: Fix ASN.1 indefinite length object parsing

1 files changed, 9 insertions, 7 deletions

diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c
index 2b3f46c049d4..554522934c44 100644
--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
@@ -74,7 +74,7 @@ next_tag:
 
         /* Extract a tag from the data */
         tag = data[dp++];
-        if (tag == 0) {
+        if (tag == ASN1_EOC) {
                 /* It appears to be an EOC. */
                 if (data[dp++] != 0)
                         goto invalid_eoc;
@@ -96,10 +96,8 @@ next_tag:
 
         /* Extract the length */
         len = data[dp++];
-        if (len <= 0x7f) {
-                dp += len;
-                goto next_tag;
-        }
+        if (len <= 0x7f)
+                goto check_length;
 
         if (unlikely(len == ASN1_INDEFINITE_LENGTH)) {
                 /* Indefinite length */
@@ -110,14 +108,18 @@ next_tag:
         }
 
         n = len - 0x80;
-        if (unlikely(n > sizeof(size_t) - 1))
+        if (unlikely(n > sizeof(len) - 1))
                 goto length_too_long;
         if (unlikely(n > datalen - dp))
                 goto data_overrun_error;
-        for (len = 0; n > 0; n--) {
+        len = 0;
+        for (; n > 0; n--) {
                 len <<= 8;
                 len |= data[dp++];
         }
+check_length:
+        if (len > datalen - dp)
+                goto data_overrun_error;
         dp += len;
         goto next_tag;