3 files changed, 11 insertions, 3 deletions

diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
index 6dc075144508..d775e03fbbcc 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -106,6 +106,7 @@ int asymmetric_verify(struct key *keyring, const char *sig,
 
         pks.pkey_algo = "rsa";
         pks.hash_algo = hash_algo_name[hdr->hash_algo];
+        pks.encoding = "pkcs1";
         pks.digest = (u8 *)data;
         pks.digest_size = datalen;
         pks.s = hdr->sig;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7ce683259357..a67459eb62d5 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5318,6 +5318,9 @@ static int selinux_sctp_bind_connect(struct sock *sk, int optname,
         addr_buf = address;
 
         while (walk_size < addrlen) {
+                if (walk_size + sizeof(sa_family_t) > addrlen)
+                        return -EINVAL;
+
                 addr = addr_buf;
                 switch (addr->sa_family) {
                 case AF_UNSPEC:
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index 2fe459df3c85..b7efa2296969 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -245,9 +245,13 @@ int mls_context_to_sid(struct policydb *pol,
         char *rangep[2];
 
         if (!pol->mls_enabled) {
-                if ((def_sid != SECSID_NULL && oldc) || (*scontext) == '\0')
-                        return 0;
-                return -EINVAL;
+                /*
+                 * With no MLS, only return -EINVAL if there is a MLS field
+                 * and it did not come from an xattr.
+                 */
+                if (oldc && def_sid == SECSID_NULL)
+                        return -EINVAL;
+                return 0;
         }
 
         /*