mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-06 05:06:29 +00:00
9e47a758b7
During NVMeTCP Authentication a controller can trigger a kernel oops by specifying the 8192 bit Diffie Hellman group and passing a correctly sized, but zeroed Diffie Hellamn value. mpi_cmp_ui() was detecting this if the second parameter was 0, but 1 is passed from dh_is_pubkey_valid(). This causes the null pointer u->d to be dereferenced towards the end of mpi_cmp_ui() Signed-off-by: Mark O'Donovan <shiftee@posteo.net> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
99 lines
2.0 KiB
C
99 lines
2.0 KiB
C
/* mpi-cmp.c - MPI functions
|
|
* Copyright (C) 1998, 1999 Free Software Foundation, Inc.
|
|
*
|
|
* This file is part of GnuPG.
|
|
*
|
|
* GnuPG is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* GnuPG is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
|
|
*/
|
|
|
|
#include "mpi-internal.h"
|
|
|
|
int mpi_cmp_ui(MPI u, unsigned long v)
|
|
{
|
|
mpi_limb_t limb = v;
|
|
|
|
mpi_normalize(u);
|
|
if (u->nlimbs == 0) {
|
|
if (v == 0)
|
|
return 0;
|
|
else
|
|
return -1;
|
|
}
|
|
if (u->sign)
|
|
return -1;
|
|
if (u->nlimbs > 1)
|
|
return 1;
|
|
|
|
if (u->d[0] == limb)
|
|
return 0;
|
|
else if (u->d[0] > limb)
|
|
return 1;
|
|
else
|
|
return -1;
|
|
}
|
|
EXPORT_SYMBOL_GPL(mpi_cmp_ui);
|
|
|
|
static int do_mpi_cmp(MPI u, MPI v, int absmode)
|
|
{
|
|
mpi_size_t usize;
|
|
mpi_size_t vsize;
|
|
int usign;
|
|
int vsign;
|
|
int cmp;
|
|
|
|
mpi_normalize(u);
|
|
mpi_normalize(v);
|
|
|
|
usize = u->nlimbs;
|
|
vsize = v->nlimbs;
|
|
usign = absmode ? 0 : u->sign;
|
|
vsign = absmode ? 0 : v->sign;
|
|
|
|
/* Compare sign bits. */
|
|
|
|
if (!usign && vsign)
|
|
return 1;
|
|
if (usign && !vsign)
|
|
return -1;
|
|
|
|
/* U and V are either both positive or both negative. */
|
|
|
|
if (usize != vsize && !usign && !vsign)
|
|
return usize - vsize;
|
|
if (usize != vsize && usign && vsign)
|
|
return vsize + usize;
|
|
if (!usize)
|
|
return 0;
|
|
cmp = mpihelp_cmp(u->d, v->d, usize);
|
|
if (!cmp)
|
|
return 0;
|
|
if ((cmp < 0?1:0) == (usign?1:0))
|
|
return 1;
|
|
|
|
return -1;
|
|
}
|
|
|
|
int mpi_cmp(MPI u, MPI v)
|
|
{
|
|
return do_mpi_cmp(u, v, 0);
|
|
}
|
|
EXPORT_SYMBOL_GPL(mpi_cmp);
|
|
|
|
int mpi_cmpabs(MPI u, MPI v)
|
|
{
|
|
return do_mpi_cmp(u, v, 1);
|
|
}
|
|
EXPORT_SYMBOL_GPL(mpi_cmpabs);
|