diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_disk_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_disk_metadata.c

--- cryptsetup-2.0.3.old/lib/luks2/luks2_disk_metadata.c	2019-03-27 15:48:28.316632526 +0100

+++ cryptsetup-2.0.3/lib/luks2/luks2_disk_metadata.c	2019-03-27 15:48:48.093594565 +0100

@@ -387,11 +387,6 @@ int LUKS2_disk_hdr_write(struct crypt_de

 		return -EINVAL;

 	}

-	if (hdr->hdr_size != LUKS2_HDR_16K_LEN) {

-		log_dbg("Unsupported LUKS2 header size (%zu).", hdr->hdr_size);

-		return -EINVAL;

-	}

-

 	r = LUKS2_check_device_size(cd, crypt_metadata_device(cd), LUKS2_hdr_and_areas_size(hdr->jobj), 1);

 	if (r)

 		return r;

diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2.h cryptsetup-2.0.3/lib/luks2/luks2.h

--- cryptsetup-2.0.3.old/lib/luks2/luks2.h	2019-03-27 15:48:28.316632526 +0100

+++ cryptsetup-2.0.3/lib/luks2/luks2.h	2019-03-27 15:49:37.033500625 +0100

@@ -326,6 +326,9 @@ int LUKS2_generate_hdr(

 	unsigned int alignOffset,

 	int detached_metadata_device);

+int LUKS2_check_metadata_area_size(uint64_t metadata_size);

+int LUKS2_check_keyslots_area_size(uint64_t keyslots_size);

+

 uint64_t LUKS2_get_data_offset(struct luks2_hdr *hdr);

 int LUKS2_get_sector_size(struct luks2_hdr *hdr);

 const char *LUKS2_get_cipher(struct luks2_hdr *hdr, int segment);

diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_format.c cryptsetup-2.0.3/lib/luks2/luks2_json_format.c

--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_format.c	2019-03-27 15:48:28.317632524 +0100

+++ cryptsetup-2.0.3/lib/luks2/luks2_json_format.c	2019-03-27 15:48:48.094594563 +0100

@@ -114,6 +114,22 @@ int LUKS2_find_area_gap(struct crypt_dev

 	return 0;

 }

+int LUKS2_check_metadata_area_size(uint64_t metadata_size)

+{

+	/* see LUKS2_HDR2_OFFSETS */

+	return (metadata_size != 0x004000 &&

+		metadata_size != 0x008000 && metadata_size != 0x010000 &&

+		metadata_size != 0x020000 && metadata_size != 0x040000 &&

+		metadata_size != 0x080000 && metadata_size != 0x100000 &&

+		metadata_size != 0x200000 && metadata_size != 0x400000);

+}

+

+int LUKS2_check_keyslots_area_size(uint64_t keyslots_size)

+{

+	return (!keyslots_size || (keyslots_size % 4096) ||

+		keyslots_size > LUKS2_MAX_KEYSLOTS_SIZE);

+}

+

 int LUKS2_generate_hdr(

 	struct crypt_device *cd,

 	struct luks2_hdr *hdr,

diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c

--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c	2019-03-27 15:48:28.317632524 +0100

+++ cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c	2019-03-27 15:57:44.322526763 +0100

@@ -701,30 +701,18 @@ static int hdr_validate_digests(json_obj

 }

 /* requires keyslots and segments sections being already validated */

-static int validate_keyslots_size(json_object *hdr_jobj, json_object *jobj_keyslots_size)

+static int validate_keyslots_size(json_object *hdr_jobj, uint64_t metadata_size, uint64_t keyslots_size)

 {

 	json_object *jobj_keyslots, *jobj, *jobj1;

-	uint64_t keyslots_size, segment_offset, keyslots_area_sum = 0;

-

-	if (!json_str_to_uint64(jobj_keyslots_size, &keyslots_size))

-		return 1;

-

-	if (keyslots_size % 4096) {

-		log_dbg("keyslots_size is not 4 KiB aligned");

-		return 1;

-	}

-

-	if (keyslots_size > LUKS2_MAX_KEYSLOTS_SIZE) {

-		log_dbg("keyslots_size is too large. The cap is %" PRIu64 " bytes", (uint64_t) LUKS2_MAX_KEYSLOTS_SIZE);

-		return 1;

-	}

+	uint64_t segment_offset, keyslots_area_sum = 0;

 	json_object_object_get_ex(hdr_jobj, "segments", &jobj);

 	segment_offset = get_first_data_offset(jobj, "crypt");

 	if (segment_offset &&

 	    (segment_offset < keyslots_size ||

-	     (segment_offset - keyslots_size) < (2 * LUKS2_HDR_16K_LEN))) {

-		log_dbg("keyslots_size is too large %" PRIu64 " (bytes). Data offset: %" PRIu64 ", keyslots offset: %d", keyslots_size, segment_offset, 2 * LUKS2_HDR_16K_LEN);

+	     (segment_offset - keyslots_size) < (2 * metadata_size))) {

+		log_dbg("keyslots_size is too large %" PRIu64 " (bytes). Data offset: %" PRIu64

+			", keyslots offset: %" PRIu64, keyslots_size, segment_offset, 2 * metadata_size);

 		return 1;

 	}

@@ -738,7 +726,8 @@ static int validate_keyslots_size(json_o

 	}

 	if (keyslots_area_sum > keyslots_size) {

-		log_dbg("Sum of all keyslot area sizes (%" PRIu64 ") is greater than value in config section %" PRIu64, keyslots_area_sum, keyslots_size);

+		log_dbg("Sum of all keyslot area sizes (%" PRIu64 ") is greater than value in config section %"

+			PRIu64, keyslots_area_sum, keyslots_size);

 		return 1;

 	}

@@ -749,7 +738,7 @@ static int hdr_validate_config(json_obje

 {

 	json_object *jobj_config, *jobj, *jobj1;

 	int i;

-	uint64_t json_size;

+	uint64_t json_size, keyslots_size;

 	if (!json_object_object_get_ex(hdr_jobj, "config", &jobj_config)) {

 		log_dbg("Missing config section.");

@@ -760,21 +749,21 @@ static int hdr_validate_config(json_obje

 	    !json_str_to_uint64(jobj, &json_size))

 		return 1;

-	/* currently it's hardcoded */

-	if (json_size != (LUKS2_HDR_16K_LEN - LUKS2_HDR_BIN_LEN)) {

-		log_dbg("Invalid json_size %" PRIu64, json_size);

+	if (!(jobj = json_contains(jobj_config, "section", "Config", "keyslots_size", json_type_string)) ||

+	    !json_str_to_uint64(jobj, &keyslots_size))

 		return 1;

-	}

-	if (json_size % 4096) {

-		log_dbg("Json area is not properly aligned to 4 KiB.");

+	if (LUKS2_check_metadata_area_size(json_size + LUKS2_HDR_BIN_LEN)) {

+		log_dbg("Unsupported LUKS2 header size (%" PRIu64 ").", json_size + LUKS2_HDR_BIN_LEN);

 		return 1;

 	}

-	if (!(jobj = json_contains(jobj_config, "section", "Config", "keyslots_size", json_type_string)))

+	if (LUKS2_check_keyslots_area_size(keyslots_size)) {

+		log_dbg("Unsupported LUKS2 keyslots size (%" PRIu64 ").", keyslots_size);

 		return 1;

+	}

-	if (validate_keyslots_size(hdr_jobj, jobj))

+	if (validate_keyslots_size(hdr_jobj, json_size + LUKS2_HDR_BIN_LEN, keyslots_size))

 		return 1;

 	/* Flags array is optional */