On Fri, Aug 22, 2025 at 03:22:08PM +0100, David Howells wrote:
> Fix keyctl_read_alloc() to check for a potential unsigned overflow when we
> allocate a buffer with an extra byte added on the end for a NUL.
>
> Fix keyctl_dh_compute_alloc() for the same thing.
>
> Signed-off-by: David Howells <dhowells@redhat.com>
> ---
> keyutils.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/keyutils.c b/keyutils.c
> index 37b6cc3..fd02cda 100644
> --- a/keyutils.c
> +++ b/keyutils.c
> @@ -18,6 +18,7 @@
> #include <dlfcn.h>
> #include <sys/uio.h>
> #include <errno.h>
> +#include <limits.h>
> #include <asm/unistd.h>
> #include "keyutils.h"
>
> @@ -442,6 +443,8 @@ int keyctl_read_alloc(key_serial_t id, void **_buffer)
> return -1;
>
> for (;;) {
> + if (ret == LONG_MAX)
> + return -EFBIG; /* Don't let buflen+1 overflow. */
> buflen = ret;
> buf = malloc(buflen + 1);
> if (!buf)
> @@ -515,6 +518,8 @@ int keyctl_dh_compute_alloc(key_serial_t priv, key_serial_t prime,
> if (ret < 0)
> return -1;
>
> + if (ret == LONG_MAX)
> + return -EFBIG; /* Don't let buflen+1 overflow. */
> buflen = ret;
> buf = malloc(buflen + 1);
> if (!buf)
>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
BR, Jarkko