1 files changed, 13 insertions, 0 deletions
diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
index af737bb56cb..259525c9abb 100644
--- a/fs/ecryptfs/keystore.c
+++ b/fs/ecryptfs/keystore.c
@@ -1303,6 +1303,13 @@ parse_tag_3_packet(struct ecryptfs_crypt_stat *crypt_stat,
        }
        (*new_auth_tok)->session_key.encrypted_key_size =
                (body_size - (ECRYPTFS_SALT_SIZE + 5));
+        if ((*new_auth_tok)->session_key.encrypted_key_size
+            > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) {
+                printk(KERN_WARNING "Tag 3 packet contains key larger "
+                       "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n");
+                rc = -EINVAL;
+                goto out_free;
+        }
        if (unlikely(data[(*packet_size)++] != 0x04)) {
                printk(KERN_WARNING "Unknown version number [%d]\n",
                       data[(*packet_size) - 1]);
@@ -1449,6 +1456,12 @@ parse_tag_11_packet(unsigned char *data, unsigned char *contents,
                rc = -EINVAL;
                goto out;
        }
+        if (unlikely((*tag_11_contents_size) > max_contents_bytes)) {
+                printk(KERN_ERR "Literal data section in tag 11 packet exceeds "
+                       "expected size\n");
+                rc = -EINVAL;
+                goto out;
+        }
        if (data[(*packet_size)++] != 0x62) {
                printk(KERN_WARNING "Unrecognizable packet\n");
                rc = -EINVAL;

diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c index af737bb56cb..259525c9abb 100644 --- a/fs/ecryptfs/keystore.c +++ b/fs/ecryptfs/keystore.c
@@ -1303,6 +1303,13 @@ parse_tag_3_packet(struct ecryptfs_crypt_stat *crypt_stat,
1303	}	1303	}
1304	(*new_auth_tok)->session_key.encrypted_key_size =	1304	(*new_auth_tok)->session_key.encrypted_key_size =
1305	(body_size - (ECRYPTFS_SALT_SIZE + 5));	1305	(body_size - (ECRYPTFS_SALT_SIZE + 5));
		1306	if ((*new_auth_tok)->session_key.encrypted_key_size
		1307	> ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) {
		1308	printk(KERN_WARNING "Tag 3 packet contains key larger "
		1309	"than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n");
		1310	rc = -EINVAL;
		1311	goto out_free;
		1312	}
1306	if (unlikely(data[(*packet_size)++] != 0x04)) {	1313	if (unlikely(data[(*packet_size)++] != 0x04)) {
1307	printk(KERN_WARNING "Unknown version number [%d]\n",	1314	printk(KERN_WARNING "Unknown version number [%d]\n",
1308	data[(*packet_size) - 1]);	1315	data[(*packet_size) - 1]);
@@ -1449,6 +1456,12 @@ parse_tag_11_packet(unsigned char data, unsigned char contents,
1449	rc = -EINVAL;	1456	rc = -EINVAL;
1450	goto out;	1457	goto out;
1451	}	1458	}
		1459	if (unlikely((*tag_11_contents_size) > max_contents_bytes)) {
		1460	printk(KERN_ERR "Literal data section in tag 11 packet exceeds "
		1461	"expected size\n");
		1462	rc = -EINVAL;
		1463	goto out;
		1464	}
1452	if (data[(*packet_size)++] != 0x62) {	1465	if (data[(*packet_size)++] != 0x62) {
1453	printk(KERN_WARNING "Unrecognizable packet\n");	1466	printk(KERN_WARNING "Unrecognizable packet\n");
1454	rc = -EINVAL;	1467	rc = -EINVAL;