From 532b06d07e6e0e020835f99ff29672eaaded846e Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Fri, 25 Oct 2019 13:09:04 +0200 Subject: [PATCH] pkcs15: Avoid insane allocations and use single max constant accross the code https://oss-fuzz.com/testcase-detail/6314983763214336 --- src/libopensc/card-piv.c | 4 +--- src/libopensc/dir.c | 2 -- src/libopensc/opensc.h | 2 ++ src/libopensc/pkcs15.c | 4 ++++ 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/libopensc/card-piv.c b/src/libopensc/card-piv.c index 2408c5e3..7098e64e 100644 --- a/src/libopensc/card-piv.c +++ b/src/libopensc/card-piv.c @@ -55,8 +55,6 @@ #endif #include "simpletlv.h" -#define PIV_MAX_FILE_SIZE 65535 - enum { PIV_OBJ_CCC = 0, PIV_OBJ_CHUI, @@ -962,7 +960,7 @@ piv_get_data(sc_card_t * card, int enumtag, u8 **buf, size_t *buf_len) "buffer for #%d *buf=0x%p len=%"SC_FORMAT_LEN_SIZE_T"u", enumtag, *buf, *buf_len); if (*buf == NULL && *buf_len > 0) { - if (*buf_len > PIV_MAX_FILE_SIZE) { + if (*buf_len > MAX_FILE_SIZE) { goto err; } *buf = malloc(*buf_len); diff --git a/src/libopensc/dir.c b/src/libopensc/dir.c index d458000c..c2a88fd9 100644 --- a/src/libopensc/dir.c +++ b/src/libopensc/dir.c @@ -29,8 +29,6 @@ #include "internal.h" #include "asn1.h" -#define MAX_FILE_SIZE 65535 - struct app_entry { const u8 *aid; size_t aid_len; diff --git a/src/libopensc/opensc.h b/src/libopensc/opensc.h index 38ad5fa8..15977d78 100644 --- a/src/libopensc/opensc.h +++ b/src/libopensc/opensc.h @@ -217,6 +217,8 @@ extern "C" { #define SC_EVENT_READER_DETACHED 0x0008 #define SC_EVENT_READER_EVENTS SC_EVENT_READER_ATTACHED|SC_EVENT_READER_DETACHED +#define MAX_FILE_SIZE 65535 + struct sc_supported_algo_info { unsigned int reference; unsigned int mechanism; diff --git a/src/libopensc/pkcs15.c b/src/libopensc/pkcs15.c index 7c56c0e7..e313dcc8 100644 --- a/src/libopensc/pkcs15.c +++ b/src/libopensc/pkcs15.c @@ -1039,6 +1039,10 @@ sc_pkcs15_bind_internal(struct sc_pkcs15_card *p15card, struct sc_aid *aid) sc_log(ctx, "EF(ODF) is empty"); goto end; } + if (len > MAX_FILE_SIZE) { + sc_log(ctx, "EF(ODF) too large"); + goto end; + } buf = malloc(len); if(buf == NULL) LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);