fixed possible NULL dereference

2017-10-30 16:32:57 +01:00 · 2017-10-30 16:32:57 +01:00 · 3ca6c4b04a
parent 10101984da
commit 3ca6c4b04a
3 changed files with 46 additions and 30 deletions
--- a/src/libopensc/asn1.c
+++ b/src/libopensc/asn1.c
@ -1609,44 +1609,56 @@ static int asn1_encode_entry(sc_context_t *ctx, const struct sc_asn1_entry *entr
 		break;
 	case SC_ASN1_BIT_STRING_NI:
 	case SC_ASN1_BIT_STRING:
-		assert(len != NULL);
-		if (entry->type == SC_ASN1_BIT_STRING)
-			r = encode_bit_string((const u8 *) parm, *len, &buf, &buflen, 1);
-		else
-			r = encode_bit_string((const u8 *) parm, *len, &buf, &buflen, 0);
+		if (len != NULL) {
+			if (entry->type == SC_ASN1_BIT_STRING)
+				r = encode_bit_string((const u8 *) parm, *len, &buf, &buflen, 1);
+			else
+				r = encode_bit_string((const u8 *) parm, *len, &buf, &buflen, 0);
+		} else {
+			r = SC_ERROR_INVALID_ARGUMENTS;
+		}
 		break;
 	case SC_ASN1_BIT_FIELD:
-		assert(len != NULL);
-		r = encode_bit_field((const u8 *) parm, *len, &buf, &buflen);
+		if (len != NULL) {
+			r = encode_bit_field((const u8 *) parm, *len, &buf, &buflen);
+		} else {
+			r = SC_ERROR_INVALID_ARGUMENTS;
+		}
 		break;
 	case SC_ASN1_PRINTABLESTRING:
 	case SC_ASN1_OCTET_STRING:
 	case SC_ASN1_UTF8STRING:
-		assert(len != NULL);
-		buf = malloc(*len + 1);
-		if (buf == NULL) {
-			r = SC_ERROR_OUT_OF_MEMORY;
-			break;
+		if (len != NULL) {
+			buf = malloc(*len + 1);
+			if (buf == NULL) {
+				r = SC_ERROR_OUT_OF_MEMORY;
+				break;
+			}
+			buflen = 0;
+			/* If the integer is supposed to be unsigned, insert
+			 * a padding byte if the MSB is one */
+			if ((entry->flags & SC_ASN1_UNSIGNED)
+					&& (((u8 *) parm)[0] & 0x80)) {
+				buf[buflen++] = 0x00;
+			}
+			memcpy(buf + buflen, parm, *len);
+			buflen += *len;
+		} else {
+			r = SC_ERROR_INVALID_ARGUMENTS;
 		}
-		buflen = 0;
-		/* If the integer is supposed to be unsigned, insert
-		 * a padding byte if the MSB is one */
-		if ((entry->flags & SC_ASN1_UNSIGNED)
-		 && (((u8 *) parm)[0] & 0x80)) {
-			buf[buflen++] = 0x00;
-		}
-		memcpy(buf + buflen, parm, *len);
-		buflen += *len;
 		break;
 	case SC_ASN1_GENERALIZEDTIME:
-		assert(len != NULL);
-		buf = malloc(*len);
-		if (buf == NULL) {
-			r = SC_ERROR_OUT_OF_MEMORY;
-			break;
+		if (len != NULL) {
+			buf = malloc(*len);
+			if (buf == NULL) {
+				r = SC_ERROR_OUT_OF_MEMORY;
+				break;
+			}
+			memcpy(buf, parm, *len);
+			buflen = *len;
+		} else {
+			r = SC_ERROR_INVALID_ARGUMENTS;
 		}
-		memcpy(buf, parm, *len);
-		buflen = *len;
 		break;
 	case SC_ASN1_OBJECT:
 		r = sc_asn1_encode_object_id(&buf, &buflen, (struct sc_object_id *) parm);
--- a/src/libopensc/pkcs15-pin.c
+++ b/src/libopensc/pkcs15-pin.c
@ -449,13 +449,13 @@ int sc_pkcs15_verify_pin_with_session_pin(struct sc_pkcs15_card *p15card,
 	sc_log(ctx, "PIN cmd result %i", r);
 	if (r == SC_SUCCESS) {
 		sc_pkcs15_pincache_add(p15card, pin_obj, pincode, pinlen);
-		if (data.cmd == SC_PIN_CMD_GET_SESSION_PIN) {
+		if (data.cmd == SC_PIN_CMD_GET_SESSION_PIN && sessionpinlen) {
 			*sessionpinlen = data.pin2.len;
 		}
 	} else {
 		sc_notify_id(card->ctx, &card->reader->atr, p15card,
 				NOTIFY_PIN_BAD);
-		if (data.cmd == SC_PIN_CMD_GET_SESSION_PIN) {
+		if (data.cmd == SC_PIN_CMD_GET_SESSION_PIN && sessionpinlen) {
 			*sessionpinlen = 0;
 		}
 	}
--- a/src/pkcs15init/pkcs15-lib.c
+++ b/src/pkcs15init/pkcs15-lib.c
@ -3880,6 +3880,10 @@ sc_pkcs15init_create_file(struct sc_profile *profile, struct sc_pkcs15_card *p15
 	int		r;

 	LOG_FUNC_CALLED(ctx);
+	if (!file) {
+		return SC_ERROR_INVALID_ARGUMENTS;
+	}
+
 	sc_log(ctx, "create file '%s'", sc_print_path(&file->path));
 	/* Select parent DF and verify PINs/key as necessary */
 	r = do_select_parent(profile, p15card, file, &parent);