Skip to content

Commit 1b22e4b

Browse files
douzzerdouzzer
committed
fix F-4409: Integer Overflow in PKCS1 Sign Length Check Allows Heap Buffer Overflow
1 parent 8624bca commit 1b22e4b

1 file changed

Lines changed: 3 additions & 3 deletions

File tree

linuxkm/lkcapi_rsa_glue.c

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1128,7 +1128,7 @@ static int km_pkcs1pad_sign(struct akcipher_request *req)
11281128
goto pkcs1pad_sign_out;
11291129
}
11301130

1131-
if (req->src_len + hash_enc_len + RSA_MIN_PAD_SZ > ctx->key_len) {
1131+
if ((word64)req->src_len + (word64)hash_enc_len + RSA_MIN_PAD_SZ > ctx->key_len) {
11321132
err = -EOVERFLOW;
11331133
goto pkcs1pad_sign_out;
11341134
}
@@ -1378,7 +1378,7 @@ static int km_pkcs1_sign(struct crypto_sig *tfm,
13781378
goto pkcs1_sign_out;
13791379
}
13801380

1381-
if (slen + hash_enc_len + RSA_MIN_PAD_SZ > ctx->key_len) {
1381+
if ((word64)slen + (word64)hash_enc_len + RSA_MIN_PAD_SZ > ctx->key_len) {
13821382
err = -EOVERFLOW;
13831383
goto pkcs1_sign_out;
13841384
}
@@ -1708,7 +1708,7 @@ static int km_pkcs1pad_enc(struct akcipher_request *req)
17081708
goto pkcs1_enc_out;
17091709
}
17101710

1711-
if (req->src_len + RSA_MIN_PAD_SZ > ctx->key_len) {
1711+
if ((word64)req->src_len + RSA_MIN_PAD_SZ > ctx->key_len) {
17121712
err = -EOVERFLOW;
17131713
goto pkcs1_enc_out;
17141714
}

0 commit comments

Comments
 (0)