fixed misuse of realloc
calling it with size 0 leads to a free, which eventually may lead to a double free corruption.
This commit is contained in:
parent
d0b499cda3
commit
7f7bcbff52
|
@ -1225,6 +1225,8 @@ static int asn1_encode_se_info(sc_context_t *ctx,
|
|||
if (ret != SC_SUCCESS)
|
||||
goto err;
|
||||
|
||||
if (!ptrlen)
|
||||
continue;
|
||||
p = (unsigned char *) realloc(out, outlen + ptrlen);
|
||||
if (!p) {
|
||||
ret = SC_ERROR_OUT_OF_MEMORY;
|
||||
|
|
|
@ -520,6 +520,10 @@ static int sc_hsm_perform_chip_authentication(sc_card_t *card)
|
|||
r = sc_read_binary(card, 0, all_certs, all_certs_len, 0);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
if (r == 0) {
|
||||
r = SC_ERROR_FILE_NOT_FOUND;
|
||||
goto err;
|
||||
}
|
||||
|
||||
all_certs_len = r;
|
||||
|
||||
|
|
|
@ -307,6 +307,8 @@ static int update_transparent(sc_card_t *card, sc_file_t *file)
|
|||
free(buf);
|
||||
return r;
|
||||
}
|
||||
if (!rec_size)
|
||||
continue;
|
||||
tmp = (u8 *) realloc(buf, buf_size + rec_size);
|
||||
if (!tmp) {
|
||||
if (rec)
|
||||
|
|
|
@ -1983,6 +1983,8 @@ sc_pkcs15_encode_df(struct sc_context *ctx, struct sc_pkcs15_card *p15card, stru
|
|||
free(buf);
|
||||
return r;
|
||||
}
|
||||
if (!tmpsize)
|
||||
continue;
|
||||
p = (u8 *) realloc(buf, bufsize + tmpsize);
|
||||
if (!p) {
|
||||
free(tmp);
|
||||
|
|
|
@ -672,7 +672,7 @@ int sc_file_set_prop_attr(sc_file_t *file, const u8 *prop_attr,
|
|||
return SC_ERROR_INVALID_ARGUMENTS;
|
||||
}
|
||||
|
||||
if (prop_attr == NULL) {
|
||||
if (prop_attr == NULL || prop_attr_len == 0) {
|
||||
if (file->prop_attr != NULL)
|
||||
free(file->prop_attr);
|
||||
file->prop_attr = NULL;
|
||||
|
@ -702,7 +702,7 @@ int sc_file_set_type_attr(sc_file_t *file, const u8 *type_attr,
|
|||
return SC_ERROR_INVALID_ARGUMENTS;
|
||||
}
|
||||
|
||||
if (type_attr == NULL) {
|
||||
if (type_attr == NULL || type_attr_len == 0) {
|
||||
if (file->type_attr != NULL)
|
||||
free(file->type_attr);
|
||||
file->type_attr = NULL;
|
||||
|
@ -733,7 +733,7 @@ int sc_file_set_content(sc_file_t *file, const u8 *content,
|
|||
return SC_ERROR_INVALID_ARGUMENTS;
|
||||
}
|
||||
|
||||
if (content == NULL) {
|
||||
if (content == NULL || content_len == 0) {
|
||||
if (file->encoded_content != NULL)
|
||||
free(file->encoded_content);
|
||||
file->encoded_content = NULL;
|
||||
|
|
|
@ -219,6 +219,8 @@ awp_update_blob(struct sc_context *ctx,
|
|||
*blob_size += 1 + lv->len;
|
||||
break;
|
||||
case TLV_TYPE_V :
|
||||
if (0 == *blob_size + lv->len)
|
||||
return SC_ERROR_INVALID_DATA;
|
||||
if (!(pp = realloc(*blob, *blob_size + lv->len)))
|
||||
return SC_ERROR_OUT_OF_MEMORY;
|
||||
memcpy(pp + *blob_size, lv->value, lv->len);
|
||||
|
|
|
@ -478,7 +478,7 @@ static int format_mse_cdata(struct sc_context *ctx, int protocol,
|
|||
r = SC_ERROR_INTERNAL;
|
||||
goto err;
|
||||
}
|
||||
if (length < 0) {
|
||||
if (length <= 0) {
|
||||
r = SC_ERROR_INTERNAL;
|
||||
goto err;
|
||||
}
|
||||
|
@ -1321,6 +1321,10 @@ int perform_pace(sc_card_t *card,
|
|||
r = SC_ERROR_INTERNAL;
|
||||
goto err;
|
||||
}
|
||||
if (comp_pub_opp->length == 0) {
|
||||
r = SC_ERROR_INTERNAL;
|
||||
goto err;
|
||||
}
|
||||
p = realloc(pace_output->id_icc, comp_pub_opp->length);
|
||||
if (!p) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Not enough memory for ID ICC.\n");
|
||||
|
@ -1333,6 +1337,10 @@ int perform_pace(sc_card_t *card,
|
|||
memcpy(pace_output->id_icc, comp_pub_opp->data, comp_pub_opp->length);
|
||||
sc_debug_hex(card->ctx, SC_LOG_DEBUG_SM, "ID ICC", pace_output->id_icc,
|
||||
pace_output->id_icc_length);
|
||||
if (comp_pub->length == 0) {
|
||||
r = SC_ERROR_INTERNAL;
|
||||
goto err;
|
||||
}
|
||||
p = realloc(pace_output->id_pcd, comp_pub->length);
|
||||
if (!p) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Not enough memory for ID PCD.\n");
|
||||
|
@ -1927,7 +1935,7 @@ eac_sm_encrypt(sc_card_t *card, const struct iso_sm_ctx *ctx,
|
|||
|
||||
databuf = BUF_MEM_create_init(data, datalen);
|
||||
encbuf = EAC_encrypt(eacsmctx->ctx, databuf);
|
||||
if (!databuf || !encbuf) {
|
||||
if (!databuf || !encbuf || !encbuf->length) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not encrypt data.");
|
||||
ssl_error(card->ctx);
|
||||
r = SC_ERROR_INTERNAL;
|
||||
|
@ -1969,7 +1977,7 @@ eac_sm_decrypt(sc_card_t *card, const struct iso_sm_ctx *ctx,
|
|||
|
||||
encbuf = BUF_MEM_create_init(enc, enclen);
|
||||
databuf = EAC_decrypt(eacsmctx->ctx, encbuf);
|
||||
if (!encbuf || !databuf) {
|
||||
if (!encbuf || !databuf || !databuf->length) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not decrypt data.");
|
||||
ssl_error(card->ctx);
|
||||
r = SC_ERROR_INTERNAL;
|
||||
|
@ -2016,7 +2024,7 @@ eac_sm_authenticate(sc_card_t *card, const struct iso_sm_ctx *ctx,
|
|||
}
|
||||
|
||||
macbuf = EAC_authenticate(eacsmctx->ctx, inbuf);
|
||||
if (!macbuf) {
|
||||
if (!macbuf || !macbuf->length) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
|
||||
"Could not compute message authentication code (MAC).");
|
||||
ssl_error(card->ctx);
|
||||
|
@ -2105,7 +2113,7 @@ add_tag(unsigned char **asn1new, int constructed, int tag,
|
|||
return -1;
|
||||
|
||||
newlen = ASN1_object_size(constructed, len, tag);
|
||||
if (newlen < 0)
|
||||
if (newlen <= 0)
|
||||
return newlen;
|
||||
|
||||
p = OPENSSL_realloc(*asn1new, newlen);
|
||||
|
|
|
@ -92,7 +92,12 @@ add_padding(const struct iso_sm_ctx *ctx, const u8 *data, size_t datalen,
|
|||
switch (ctx->padding_indicator) {
|
||||
case SM_NO_PADDING:
|
||||
if (*padded != data) {
|
||||
p = realloc(*padded, datalen);
|
||||
if (datalen == 0) {
|
||||
free(*padded);
|
||||
p = malloc(datalen);
|
||||
} else {
|
||||
p = realloc(*padded, datalen);
|
||||
}
|
||||
if (!p)
|
||||
return SC_ERROR_OUT_OF_MEMORY;
|
||||
*padded = p;
|
||||
|
@ -146,7 +151,7 @@ static int format_le(size_t le, struct sc_asn1_entry *le_entry,
|
|||
{
|
||||
u8 *p;
|
||||
|
||||
if (!lebuf || !le_len)
|
||||
if (!lebuf || !le_len || !*le_len)
|
||||
return SC_ERROR_INVALID_ARGUMENTS;
|
||||
|
||||
p = realloc(*lebuf, *le_len);
|
||||
|
|
Loading…
Reference in New Issue