| From foo@baz Fri Feb 23 12:01:27 CET 2018 |
| From: Eric Biggers <ebiggers3@gmail.com> |
| Date: Fri, 8 Dec 2017 15:13:28 +0000 |
| Subject: 509: fix printing uninitialized stack memory when OID is empty |
| |
| From: Eric Biggers <ebiggers3@gmail.com> |
| |
| |
| [ Upstream commit 8dfd2f22d3bf3ab7714f7495ad5d897b8845e8c1 ] |
| |
| Callers of sprint_oid() do not check its return value before printing |
| the result. In the case where the OID is zero-length, -EBADMSG was |
| being returned without anything being written to the buffer, resulting |
| in uninitialized stack memory being printed. Fix this by writing |
| "(bad)" to the buffer in the cases where -EBADMSG is returned. |
| |
| Fixes: 4f73175d0375 ("X.509: Add utility functions to render OIDs as strings") |
| Signed-off-by: Eric Biggers <ebiggers@google.com> |
| Signed-off-by: David Howells <dhowells@redhat.com> |
| Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| lib/oid_registry.c | 8 ++++++-- |
| 1 file changed, 6 insertions(+), 2 deletions(-) |
| |
| --- a/lib/oid_registry.c |
| +++ b/lib/oid_registry.c |
| @@ -116,7 +116,7 @@ int sprint_oid(const void *data, size_t |
| int count; |
| |
| if (v >= end) |
| - return -EBADMSG; |
| + goto bad; |
| |
| n = *v++; |
| ret = count = snprintf(buffer, bufsize, "%u.%u", n / 40, n % 40); |
| @@ -134,7 +134,7 @@ int sprint_oid(const void *data, size_t |
| num = n & 0x7f; |
| do { |
| if (v >= end) |
| - return -EBADMSG; |
| + goto bad; |
| n = *v++; |
| num <<= 7; |
| num |= n & 0x7f; |
| @@ -148,6 +148,10 @@ int sprint_oid(const void *data, size_t |
| } |
| |
| return ret; |
| + |
| +bad: |
| + snprintf(buffer, bufsize, "(bad)"); |
| + return -EBADMSG; |
| } |
| EXPORT_SYMBOL_GPL(sprint_oid); |
| |
