summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorEric Biggers <ebiggers@google.com>2017-12-08 15:13:28 +0000
committerDavid Howells <dhowells@redhat.com>2017-12-08 15:13:28 +0000
commit47e0a208fb9d91e3f3c86309e752b13a36470ae8 (patch)
tree7ef7646ed93f622533c61b0290fecb43cec8853e /lib
parent0f30cbea005bd3077bd98cd29277d7fc2699c1da (diff)
downloadlinux-47e0a208fb9d91e3f3c86309e752b13a36470ae8.tar.gz
linux-47e0a208fb9d91e3f3c86309e752b13a36470ae8.tar.bz2
linux-47e0a208fb9d91e3f3c86309e752b13a36470ae8.zip
X.509: fix buffer overflow detection in sprint_oid()
In sprint_oid(), if the input buffer were to be more than 1 byte too small for the first snprintf(), 'bufsize' would underflow, causing a buffer overflow when printing the remainder of the OID. Fortunately this cannot actually happen currently, because no users pass in a buffer that can be too small for the first snprintf(). Regardless, fix it by checking the snprintf() return value correctly. For consistency also tweak the second snprintf() check to look the same. Fixes: 4f73175d0375 ("X.509: Add utility functions to render OIDs as strings") Cc: Takashi Iwai <tiwai@suse.de> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'lib')
-rw-r--r--lib/oid_registry.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/lib/oid_registry.c b/lib/oid_registry.c
index 41b9e50711a7..5a75d127995d 100644
--- a/lib/oid_registry.c
+++ b/lib/oid_registry.c
@@ -120,10 +120,10 @@ int sprint_oid(const void *data, size_t datasize, char *buffer, size_t bufsize)
n = *v++;
ret = count = snprintf(buffer, bufsize, "%u.%u", n / 40, n % 40);
+ if (count >= bufsize)
+ return -ENOBUFS;
buffer += count;
bufsize -= count;
- if (bufsize == 0)
- return -ENOBUFS;
while (v < end) {
num = 0;
@@ -141,9 +141,9 @@ int sprint_oid(const void *data, size_t datasize, char *buffer, size_t bufsize)
} while (n & 0x80);
}
ret += count = snprintf(buffer, bufsize, ".%lu", num);
- buffer += count;
- if (bufsize <= count)
+ if (count >= bufsize)
return -ENOBUFS;
+ buffer += count;
bufsize -= count;
}