fixed out of bounds writes
Thanks to Eric Sesterhenn from X41 D-SEC GmbH for reporting the problems.
This commit is contained in:
parent
8fe377e93b
commit
360e95d45a
|
@ -794,7 +794,7 @@ static int cac_get_serial_nr_from_CUID(sc_card_t* card, sc_serial_number_t* seri
|
||||||
}
|
}
|
||||||
if (priv->cac_id_len) {
|
if (priv->cac_id_len) {
|
||||||
serial->len = MIN(priv->cac_id_len, SC_MAX_SERIALNR);
|
serial->len = MIN(priv->cac_id_len, SC_MAX_SERIALNR);
|
||||||
memcpy(serial->value, priv->cac_id, priv->cac_id_len);
|
memcpy(serial->value, priv->cac_id, serial->len);
|
||||||
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_SUCCESS);
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_SUCCESS);
|
||||||
}
|
}
|
||||||
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_FILE_NOT_FOUND);
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_FILE_NOT_FOUND);
|
||||||
|
|
|
@ -951,7 +951,7 @@ decrypt_response(struct sc_card *card, unsigned char *in, size_t inlen, unsigned
|
||||||
while (0x80 != plaintext[cipher_len - 2] && (cipher_len - 2 > 0))
|
while (0x80 != plaintext[cipher_len - 2] && (cipher_len - 2 > 0))
|
||||||
cipher_len--;
|
cipher_len--;
|
||||||
|
|
||||||
if (2 == cipher_len)
|
if (2 == cipher_len || *out_len < cipher_len - 2)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
memcpy(out, plaintext, cipher_len - 2);
|
memcpy(out, plaintext, cipher_len - 2);
|
||||||
|
@ -977,6 +977,7 @@ epass2003_sm_unwrap_apdu(struct sc_card *card, struct sc_apdu *sm, struct sc_apd
|
||||||
r = sc_check_sw(card, sm->sw1, sm->sw2);
|
r = sc_check_sw(card, sm->sw1, sm->sw2);
|
||||||
if (r == SC_SUCCESS) {
|
if (r == SC_SUCCESS) {
|
||||||
if (exdata->sm) {
|
if (exdata->sm) {
|
||||||
|
len = plain->resplen;
|
||||||
if (0 != decrypt_response(card, sm->resp, sm->resplen, plain->resp, &len))
|
if (0 != decrypt_response(card, sm->resp, sm->resplen, plain->resp, &len))
|
||||||
return SC_ERROR_CARD_CMD_FAILED;
|
return SC_ERROR_CARD_CMD_FAILED;
|
||||||
}
|
}
|
||||||
|
|
|
@ -519,6 +519,8 @@ static int muscle_list_files(sc_card_t *card, u8 *buf, size_t bufLen)
|
||||||
|
|
||||||
for(x = 0; x < fs->cache.size; x++) {
|
for(x = 0; x < fs->cache.size; x++) {
|
||||||
u8* oid = fs->cache.array[x].objectId.id;
|
u8* oid = fs->cache.array[x].objectId.id;
|
||||||
|
if (bufLen < 2)
|
||||||
|
break;
|
||||||
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,
|
||||||
"FILE: %02X%02X%02X%02X\n",
|
"FILE: %02X%02X%02X%02X\n",
|
||||||
oid[0],oid[1],oid[2],oid[3]);
|
oid[0],oid[1],oid[2],oid[3]);
|
||||||
|
@ -528,6 +530,7 @@ static int muscle_list_files(sc_card_t *card, u8 *buf, size_t bufLen)
|
||||||
if(buf[0] == 0x00 && buf[1] == 0x00) continue; /* No directories/null names outside of root */
|
if(buf[0] == 0x00 && buf[1] == 0x00) continue; /* No directories/null names outside of root */
|
||||||
buf += 2;
|
buf += 2;
|
||||||
count += 2;
|
count += 2;
|
||||||
|
bufLen -= 2;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return count;
|
return count;
|
||||||
|
|
|
@ -408,7 +408,7 @@ static int tcos_select_file(sc_card_t *card,
|
||||||
file->path = *in_path;
|
file->path = *in_path;
|
||||||
|
|
||||||
for(i=2; i+1<apdu.resplen && i+1+apdu.resp[i+1]<apdu.resplen; i+=2+apdu.resp[i+1]){
|
for(i=2; i+1<apdu.resplen && i+1+apdu.resp[i+1]<apdu.resplen; i+=2+apdu.resp[i+1]){
|
||||||
int j, len=apdu.resp[i+1];
|
size_t j, len=apdu.resp[i+1];
|
||||||
unsigned char type=apdu.resp[i], *d=apdu.resp+i+2;
|
unsigned char type=apdu.resp[i], *d=apdu.resp+i+2;
|
||||||
|
|
||||||
switch (type) {
|
switch (type) {
|
||||||
|
@ -432,8 +432,8 @@ static int tcos_select_file(sc_card_t *card,
|
||||||
file->id = (d[0]<<8) | d[1];
|
file->id = (d[0]<<8) | d[1];
|
||||||
break;
|
break;
|
||||||
case 0x84:
|
case 0x84:
|
||||||
memcpy(file->name, d, len);
|
file->namelen = MIN(sizeof file->name, len);
|
||||||
file->namelen = len;
|
memcpy(file->name, d, file->namelen);
|
||||||
break;
|
break;
|
||||||
case 0x86:
|
case 0x86:
|
||||||
sc_file_set_sec_attr(file, d, len);
|
sc_file_set_sec_attr(file, d, len);
|
||||||
|
|
|
@ -79,7 +79,7 @@ sc_pkcs15emu_esteid_init (sc_pkcs15_card_t * p15card)
|
||||||
/* read the serial (document number) */
|
/* read the serial (document number) */
|
||||||
r = sc_read_record (card, SC_ESTEID_PD_DOCUMENT_NR, buff, sizeof(buff), SC_RECORD_BY_REC_NR);
|
r = sc_read_record (card, SC_ESTEID_PD_DOCUMENT_NR, buff, sizeof(buff), SC_RECORD_BY_REC_NR);
|
||||||
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "read document number failed");
|
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "read document number failed");
|
||||||
buff[r] = '\0';
|
buff[MIN((size_t) r, (sizeof buff)-1)] = '\0';
|
||||||
set_string (&p15card->tokeninfo->serial_number, (const char *) buff);
|
set_string (&p15card->tokeninfo->serial_number, (const char *) buff);
|
||||||
|
|
||||||
p15card->tokeninfo->flags = SC_PKCS15_TOKEN_PRN_GENERATION
|
p15card->tokeninfo->flags = SC_PKCS15_TOKEN_PRN_GENERATION
|
||||||
|
|
|
@ -208,7 +208,7 @@ static int gemsafe_get_cert_len(sc_card_t *card)
|
||||||
* the private key.
|
* the private key.
|
||||||
*/
|
*/
|
||||||
ind = 2; /* skip length */
|
ind = 2; /* skip length */
|
||||||
while (ibuf[ind] == 0x01) {
|
while (ibuf[ind] == 0x01 && i < gemsafe_cert_max) {
|
||||||
if (ibuf[ind+1] == 0xFE) {
|
if (ibuf[ind+1] == 0xFE) {
|
||||||
gemsafe_prkeys[i].ref = ibuf[ind+4];
|
gemsafe_prkeys[i].ref = ibuf[ind+4];
|
||||||
sc_log(card->ctx, "Key container %d is allocated and uses key_ref %d",
|
sc_log(card->ctx, "Key container %d is allocated and uses key_ref %d",
|
||||||
|
|
|
@ -837,6 +837,7 @@ static int sc_pkcs15emu_sc_hsm_init (sc_pkcs15_card_t * p15card)
|
||||||
r = read_file(p15card, (u8 *) "\x2F\x02", efbin, &len, 1);
|
r = read_file(p15card, (u8 *) "\x2F\x02", efbin, &len, 1);
|
||||||
LOG_TEST_RET(card->ctx, r, "Skipping optional EF.C_DevAut");
|
LOG_TEST_RET(card->ctx, r, "Skipping optional EF.C_DevAut");
|
||||||
|
|
||||||
|
if (len > 0) {
|
||||||
/* save EF_C_DevAut for further use */
|
/* save EF_C_DevAut for further use */
|
||||||
ptr = realloc(priv->EF_C_DevAut, len);
|
ptr = realloc(priv->EF_C_DevAut, len);
|
||||||
if (ptr) {
|
if (ptr) {
|
||||||
|
@ -844,6 +845,7 @@ static int sc_pkcs15emu_sc_hsm_init (sc_pkcs15_card_t * p15card)
|
||||||
priv->EF_C_DevAut = ptr;
|
priv->EF_C_DevAut = ptr;
|
||||||
priv->EF_C_DevAut_len = len;
|
priv->EF_C_DevAut_len = len;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
ptr = efbin;
|
ptr = efbin;
|
||||||
}
|
}
|
||||||
|
|
|
@ -628,7 +628,7 @@ int sc_file_set_sec_attr(sc_file_t *file, const u8 *sec_attr,
|
||||||
return SC_ERROR_INVALID_ARGUMENTS;
|
return SC_ERROR_INVALID_ARGUMENTS;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (sec_attr == NULL) {
|
if (sec_attr == NULL || sec_attr_len) {
|
||||||
if (file->sec_attr != NULL)
|
if (file->sec_attr != NULL)
|
||||||
free(file->sec_attr);
|
free(file->sec_attr);
|
||||||
file->sec_attr = NULL;
|
file->sec_attr = NULL;
|
||||||
|
|
|
@ -21,6 +21,7 @@
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
|
|
||||||
#include "libopensc/sc-ossl-compat.h"
|
#include "libopensc/sc-ossl-compat.h"
|
||||||
|
#include "libopensc/internal.h"
|
||||||
#include <openssl/bn.h>
|
#include <openssl/bn.h>
|
||||||
#include <openssl/rsa.h>
|
#include <openssl/rsa.h>
|
||||||
#include <openssl/x509.h>
|
#include <openssl/x509.h>
|
||||||
|
@ -331,7 +332,7 @@ static int read_public_key(RSA *rsa)
|
||||||
fprintf(stderr, "Unable to select public key file: %s\n", sc_strerror(r));
|
fprintf(stderr, "Unable to select public key file: %s\n", sc_strerror(r));
|
||||||
return 2;
|
return 2;
|
||||||
}
|
}
|
||||||
bufsize = file->size;
|
bufsize = MIN(file->size, sizeof buf);
|
||||||
sc_file_free(file);
|
sc_file_free(file);
|
||||||
r = sc_read_binary(card, 0, buf, bufsize, 0);
|
r = sc_read_binary(card, 0, buf, bufsize, 0);
|
||||||
if (r < 0) {
|
if (r < 0) {
|
||||||
|
@ -382,7 +383,7 @@ static int read_private_key(RSA *rsa)
|
||||||
e = sc_file_get_acl_entry(file, SC_AC_OP_READ);
|
e = sc_file_get_acl_entry(file, SC_AC_OP_READ);
|
||||||
if (e == NULL || e->method == SC_AC_NEVER)
|
if (e == NULL || e->method == SC_AC_NEVER)
|
||||||
return 10;
|
return 10;
|
||||||
bufsize = file->size;
|
bufsize = MIN(file->size, sizeof buf);
|
||||||
sc_file_free(file);
|
sc_file_free(file);
|
||||||
r = sc_read_binary(card, 0, buf, bufsize, 0);
|
r = sc_read_binary(card, 0, buf, bufsize, 0);
|
||||||
if (r < 0) {
|
if (r < 0) {
|
||||||
|
|
|
@ -149,7 +149,7 @@ int read_file(struct sc_card *card, char *str_path, unsigned char **data, size_t
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
|
|
||||||
len = file ? file->size : 4096;
|
len = file && file->size > 0 ? file->size : 4096;
|
||||||
p = realloc(*data, len);
|
p = realloc(*data, len);
|
||||||
if (!p) {
|
if (!p) {
|
||||||
goto err;
|
goto err;
|
||||||
|
|
|
@ -339,10 +339,11 @@ const char * util_acl_to_str(const sc_acl_entry_t *e)
|
||||||
strcpy(buf, "????");
|
strcpy(buf, "????");
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
strcat(line, buf);
|
strncat(line, buf, sizeof line);
|
||||||
strcat(line, " ");
|
strncat(line, " ", sizeof line);
|
||||||
e = e->next;
|
e = e->next;
|
||||||
}
|
}
|
||||||
|
line[(sizeof line)-1] = '\0'; /* make sure it's NUL terminated */
|
||||||
line[strlen(line)-1] = 0; /* get rid of trailing space */
|
line[strlen(line)-1] = 0; /* get rid of trailing space */
|
||||||
return line;
|
return line;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue