- /* Skip the hashed data */
- ofs = (sig->data[4] << 8) + sig->data[5] + 6;
- if (sig->length < ofs + 2) {
- ret = ONAK_E_INVALID_PKT;
+ /* Need at least 19 bytes for the sig header */
+ if (sig->length < 19) {
+ ret = ONAK_E_INVALID_PKT;
+ goto out;
+ }
+
+ /* Skip to the signature material */
+ ofs += 19;
+ sigkeytype = sig->data[15];
+ } else if (sig->data[0] >= 4) {
+ /* Skip the hashed data */
+ ofs = (sig->data[4] << 8) + sig->data[5] + 6;
+ if (sig->length < ofs + 2) {
+ ret = ONAK_E_INVALID_PKT;
+ goto out;
+ }
+ /* Skip the unhashed data */
+ ofs += (sig->data[ofs] << 8) + sig->data[ofs + 1] + 2;
+ if (sig->length < ofs + 2) {
+ ret = ONAK_E_INVALID_PKT;
+ goto out;
+ }
+ /* Skip the sig hash bytes */
+ ofs += 2;
+ sigkeytype = sig->data[2];
+ } else {
+ ret = ONAK_E_UNSUPPORTED_FEATURE;