Fix off-by one exit condition in pkcs#11 priv keys lookup

In function find_privkeys(), the list-> array is allocated to be of size
lists->key_ids_size. "current" is the index where the next found key will
be written (starts at 0).

The current exit condition is thus incorrect:

		if (current > list->key_ids_size)
			break;

This will allow "current" to be equal to list->key_ids_size which will
potentially cause an overflow if more keys are returned by the loop than
 was originally found when calculating that size.

This is very unlikely, but incorrect nonetheless.

Fix this by using the more classic construct of testing for the array bound
in the loop exit condition, as suggested by Daiki Ueno.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>

diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index a822b1b497c15f502f2ce4e36c9c66455fc2c8ab..3ece1d9f8d770f959755a2df91516e7c5fca4f61 100644 (file)
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -3081,7 +3081,8 @@ find_privkeys(struct pkcs11_session_info *sinfo,
        current = 0;
        while (pkcs11_find_objects
               (sinfo->module, sinfo->pks, &ctx, 1, &count) == CKR_OK
-              && count == 1) {
+              && count == 1
+              && current < list->key_ids_size) {
 
                a[0].type = CKA_ID;
                a[0].value = certid_tmp;
@@ -3098,9 +3099,6 @@ find_privkeys(struct pkcs11_session_info *sinfo,
                                return gnutls_assert_val(ret);
                        current++;
                }
-
-               if (current > list->key_ids_size)
-                       break;
        }
 
        pkcs11_find_objects_final(sinfo);