From: David Howells Date: Thu, 12 Nov 2015 09:36:40 +0000 (+0000) Subject: X.509: Fix the time validation [ver #2] X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=cc25b994acfbc901429da682d0f73c190e960206;p=openwrt%2Fstaging%2Fblogic.git X.509: Fix the time validation [ver #2] This fixes CVE-2015-5327. It affects kernels from 4.3-rc1 onwards. Fix the X.509 time validation to use month number-1 when looking up the number of days in that month. Also put the month number validation before doing the lookup so as not to risk overrunning the array. This can be tested by doing the following: cat < Signed-off-by: David Howells Tested-by: Mimi Zohar Acked-by: David Woodhouse Signed-off-by: James Morris --- diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 3000ea3b6687..021d39c0ba75 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -531,7 +531,11 @@ int x509_decode_time(time64_t *_t, size_t hdrlen, if (*p != 'Z') goto unsupported_time; - mon_len = month_lengths[mon]; + if (year < 1970 || + mon < 1 || mon > 12) + goto invalid_time; + + mon_len = month_lengths[mon - 1]; if (mon == 2) { if (year % 4 == 0) { mon_len = 29; @@ -543,14 +547,12 @@ int x509_decode_time(time64_t *_t, size_t hdrlen, } } - if (year < 1970 || - mon < 1 || mon > 12 || - day < 1 || day > mon_len || + if (day < 1 || day > mon_len || hour > 23 || min > 59 || sec > 59) goto invalid_time; - + *_t = mktime64(year, mon, day, hour, min, sec); return 0;