Am Mittwoch, 9. September 2015, 09:51:40 schrieb Tadeusz Struk: Hi Tadeusz, >On 09/09/2015 09:49 AM, Stephan Mueller wrote: >>>> >> But, shouldn't there be an overflow check? Maybe not here, but in the >>>> >> cases >>>> >> where the function is invoked. There is a kmalloc(src_len) without a >>>> >> check >>>> >> for negative values. >>> > >>> >Right, but because testmgr.c calls setkey before this I skipped the >>> >check. >> >> But in the rsa.c enc/dec/verify/sign functions, there should be such check, >> I would guess. > >There is see line 419: >return pkey->n ? mpi_get_size(pkey->n) : -EINVAL; I feel we are not talking about the same issue. I refer to your patch in rsa.c: + int src_len = sg_len(req->src), dst_len = sg_len(req->dst); ===> can be negative according to your statement ... + void *ptr = kmalloc(dst_len, GFP_KERNEL); ===> with a negative number, I guess we have a problem here. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html