From: Eric Biggers Date: Wed, 19 Jan 2022 00:13:05 +0000 (-0800) Subject: crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete() X-Git-Tag: v6.6.17~7845^2~115 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a24611ea356c7f3f0ec926da11b9482ac1f414fd;p=platform%2Fkernel%2Flinux-rpi.git crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete() Before checking whether the expected digest_info is present, we need to check that there are enough bytes remaining. Fixes: a49de377e051 ("crypto: Add hash param to pkcs1pad") Cc: # v4.6+ Cc: Tadeusz Struk Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu --- diff --git a/crypto/rsa-pkcs1pad.c b/crypto/rsa-pkcs1pad.c index 6b556dd..9d80483 100644 --- a/crypto/rsa-pkcs1pad.c +++ b/crypto/rsa-pkcs1pad.c @@ -476,6 +476,8 @@ static int pkcs1pad_verify_complete(struct akcipher_request *req, int err) pos++; if (digest_info) { + if (digest_info->size > dst_len - pos) + goto done; if (crypto_memneq(out_buf + pos, digest_info->data, digest_info->size)) goto done;