From d94b51511499508a39f0a96f7c75cab4547b9b41 Mon Sep 17 00:00:00 2001
From: Miloslav Trmač <mitr@redhat.com>
Date: Fri, 9 Jul 2010 08:07:30 +0200
Subject: Avoid overflows when unwrapping from storage

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 ncr-key-storage.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ncr-key-storage.c b/ncr-key-storage.c
index 2a6055e..69e1c50 100644
--- a/ncr-key-storage.c
+++ b/ncr-key-storage.c
@@ -87,7 +87,7 @@ int key_from_storage_data(struct key_item_st* key, const void* data, size_t data
 	const struct packed_key * pkey = data;
 	int ret;
 
-	if (data_size != sizeof(*pkey)) {
+	if (data_size != sizeof(*pkey) || pkey->key_id_size > MAX_KEY_ID_SIZE) {
 		err();
 		return -EINVAL;
 	}
@@ -100,6 +100,10 @@ int key_from_storage_data(struct key_item_st* key, const void* data, size_t data
 	memcpy(key->key_id, pkey->key_id, pkey->key_id_size);
 
 	if (key->type == NCR_KEY_TYPE_SECRET) {
+		if (pkey->raw_size > NCR_CIPHER_MAX_KEY_LEN) {
+			err();
+			return -EINVAL;
+		}
 		key->key.secret.size = pkey->raw_size;
 		memcpy(key->key.secret.data, pkey->raw, pkey->raw_size);
 	} else if (key->type == NCR_KEY_TYPE_PUBLIC 
-- 
cgit