giomba
/
opensc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fixed misuse of realloc 

calling it with size 0 leads to a free, which eventually may lead to a
double free corruption.
This commit is contained in:
Frank Morgner 2019-01-17 14:43:28 +01:00
parent d0b499cda3
commit 7f7bcbff52
8 changed files with 35 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/libopensc/asn1.c
View File

@ -1225,6 +1225,8 @@ static int asn1_encode_se_info(sc_context_t *ctx,
if (ret != SC_SUCCESS) if (ret != SC_SUCCESS)
goto err; goto err;
if (!ptrlen)
continue;
p = (unsigned char *) realloc(out, outlen + ptrlen); p = (unsigned char *) realloc(out, outlen + ptrlen);
if (!p) { if (!p) {
ret = SC_ERROR_OUT_OF_MEMORY; ret = SC_ERROR_OUT_OF_MEMORY;

4
src/libopensc/card-sc-hsm.c
View File

@ -520,6 +520,10 @@ static int sc_hsm_perform_chip_authentication(sc_card_t *card)
r = sc_read_binary(card, 0, all_certs, all_certs_len, 0); r = sc_read_binary(card, 0, all_certs, all_certs_len, 0);
if (r < 0) if (r < 0)
goto err; goto err;
if (r == 0) {
r = SC_ERROR_FILE_NOT_FOUND;
goto err;
}
all_certs_len = r; all_certs_len = r;

2
src/libopensc/dir.c
View File

@ -307,6 +307,8 @@ static int update_transparent(sc_card_t *card, sc_file_t *file)
free(buf); free(buf);
return r; return r;
} }
if (!rec_size)
continue;
tmp = (u8 *) realloc(buf, buf_size + rec_size); tmp = (u8 *) realloc(buf, buf_size + rec_size);
if (!tmp) { if (!tmp) {
if (rec) if (rec)

2
src/libopensc/pkcs15.c
View File

@ -1983,6 +1983,8 @@ sc_pkcs15_encode_df(struct sc_context *ctx, struct sc_pkcs15_card *p15card, stru
free(buf); free(buf);
return r; return r;
} }
if (!tmpsize)
continue;
p = (u8 *) realloc(buf, bufsize + tmpsize); p = (u8 *) realloc(buf, bufsize + tmpsize);
if (!p) { if (!p) {
free(tmp); free(tmp);

6
src/libopensc/sc.c
View File

@ -672,7 +672,7 @@ int sc_file_set_prop_attr(sc_file_t *file, const u8 *prop_attr,
return SC_ERROR_INVALID_ARGUMENTS; return SC_ERROR_INVALID_ARGUMENTS;
} }
if (prop_attr == NULL) { if (prop_attr == NULL || prop_attr_len == 0) {
if (file->prop_attr != NULL) if (file->prop_attr != NULL)
free(file->prop_attr); free(file->prop_attr);
file->prop_attr = NULL; file->prop_attr = NULL;
@ -702,7 +702,7 @@ int sc_file_set_type_attr(sc_file_t *file, const u8 *type_attr,
return SC_ERROR_INVALID_ARGUMENTS; return SC_ERROR_INVALID_ARGUMENTS;
} }
if (type_attr == NULL) { if (type_attr == NULL || type_attr_len == 0) {
if (file->type_attr != NULL) if (file->type_attr != NULL)
free(file->type_attr); free(file->type_attr);
file->type_attr = NULL; file->type_attr = NULL;
@ -733,7 +733,7 @@ int sc_file_set_content(sc_file_t *file, const u8 *content,
return SC_ERROR_INVALID_ARGUMENTS; return SC_ERROR_INVALID_ARGUMENTS;
} }
if (content == NULL) { if (content == NULL || content_len == 0) {
if (file->encoded_content != NULL) if (file->encoded_content != NULL)
free(file->encoded_content); free(file->encoded_content);
file->encoded_content = NULL; file->encoded_content = NULL;

2
src/pkcs15init/pkcs15-oberthur-awp.c
View File

@ -219,6 +219,8 @@ awp_update_blob(struct sc_context *ctx,
*blob_size += 1 + lv->len; *blob_size += 1 + lv->len;
break; break;
case TLV_TYPE_V : case TLV_TYPE_V :
if (0 == *blob_size + lv->len)
return SC_ERROR_INVALID_DATA;
if (!(pp = realloc(*blob, *blob_size + lv->len))) if (!(pp = realloc(*blob, *blob_size + lv->len)))
return SC_ERROR_OUT_OF_MEMORY; return SC_ERROR_OUT_OF_MEMORY;
memcpy(pp + *blob_size, lv->value, lv->len); memcpy(pp + *blob_size, lv->value, lv->len);

18
src/sm/sm-eac.c
View File

@ -478,7 +478,7 @@ static int format_mse_cdata(struct sc_context *ctx, int protocol,
r = SC_ERROR_INTERNAL; r = SC_ERROR_INTERNAL;
goto err; goto err;
} }
if (length < 0) { if (length <= 0) {
r = SC_ERROR_INTERNAL; r = SC_ERROR_INTERNAL;
goto err; goto err;
} }
@ -1321,6 +1321,10 @@ int perform_pace(sc_card_t *card,
r = SC_ERROR_INTERNAL; r = SC_ERROR_INTERNAL;
goto err; goto err;
} }
if (comp_pub_opp->length == 0) {
r = SC_ERROR_INTERNAL;
goto err;
}
p = realloc(pace_output->id_icc, comp_pub_opp->length); p = realloc(pace_output->id_icc, comp_pub_opp->length);
if (!p) { if (!p) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Not enough memory for ID ICC.\n"); sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Not enough memory for ID ICC.\n");
@ -1333,6 +1337,10 @@ int perform_pace(sc_card_t *card,
memcpy(pace_output->id_icc, comp_pub_opp->data, comp_pub_opp->length); memcpy(pace_output->id_icc, comp_pub_opp->data, comp_pub_opp->length);
sc_debug_hex(card->ctx, SC_LOG_DEBUG_SM, "ID ICC", pace_output->id_icc, sc_debug_hex(card->ctx, SC_LOG_DEBUG_SM, "ID ICC", pace_output->id_icc,
pace_output->id_icc_length); pace_output->id_icc_length);
if (comp_pub->length == 0) {
r = SC_ERROR_INTERNAL;
goto err;
}
p = realloc(pace_output->id_pcd, comp_pub->length); p = realloc(pace_output->id_pcd, comp_pub->length);
if (!p) { if (!p) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Not enough memory for ID PCD.\n"); sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Not enough memory for ID PCD.\n");
@ -1927,7 +1935,7 @@ eac_sm_encrypt(sc_card_t *card, const struct iso_sm_ctx *ctx,
databuf = BUF_MEM_create_init(data, datalen); databuf = BUF_MEM_create_init(data, datalen);
encbuf = EAC_encrypt(eacsmctx->ctx, databuf); encbuf = EAC_encrypt(eacsmctx->ctx, databuf);
if (!databuf || !encbuf) { if (!databuf || !encbuf || !encbuf->length) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not encrypt data."); sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not encrypt data.");
ssl_error(card->ctx); ssl_error(card->ctx);
r = SC_ERROR_INTERNAL; r = SC_ERROR_INTERNAL;
@ -1969,7 +1977,7 @@ eac_sm_decrypt(sc_card_t *card, const struct iso_sm_ctx *ctx,
encbuf = BUF_MEM_create_init(enc, enclen); encbuf = BUF_MEM_create_init(enc, enclen);
databuf = EAC_decrypt(eacsmctx->ctx, encbuf); databuf = EAC_decrypt(eacsmctx->ctx, encbuf);
if (!encbuf || !databuf) { if (!encbuf || !databuf || !databuf->length) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not decrypt data."); sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not decrypt data.");
ssl_error(card->ctx); ssl_error(card->ctx);
r = SC_ERROR_INTERNAL; r = SC_ERROR_INTERNAL;
@ -2016,7 +2024,7 @@ eac_sm_authenticate(sc_card_t *card, const struct iso_sm_ctx *ctx,
} }
macbuf = EAC_authenticate(eacsmctx->ctx, inbuf); macbuf = EAC_authenticate(eacsmctx->ctx, inbuf);
if (!macbuf) { if (!macbuf || !macbuf->length) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
"Could not compute message authentication code (MAC)."); "Could not compute message authentication code (MAC).");
ssl_error(card->ctx); ssl_error(card->ctx);
@ -2105,7 +2113,7 @@ add_tag(unsigned char **asn1new, int constructed, int tag,
return -1; return -1;
newlen = ASN1_object_size(constructed, len, tag); newlen = ASN1_object_size(constructed, len, tag);
if (newlen < 0) if (newlen <= 0)
return newlen; return newlen;
p = OPENSSL_realloc(*asn1new, newlen); p = OPENSSL_realloc(*asn1new, newlen);

9
src/sm/sm-iso.c
View File

@ -92,7 +92,12 @@ add_padding(const struct iso_sm_ctx *ctx, const u8 *data, size_t datalen,
switch (ctx->padding_indicator) { switch (ctx->padding_indicator) {
case SM_NO_PADDING: case SM_NO_PADDING:
if (*padded != data) { if (*padded != data) {
p = realloc(*padded, datalen); if (datalen == 0) {
free(*padded);
p = malloc(datalen);
} else {
p = realloc(*padded, datalen);
}
if (!p) if (!p)
return SC_ERROR_OUT_OF_MEMORY; return SC_ERROR_OUT_OF_MEMORY;
*padded = p; *padded = p;
@ -146,7 +151,7 @@ static int format_le(size_t le, struct sc_asn1_entry *le_entry,
{ {
u8 *p; u8 *p;
if (!lebuf || !le_len) if (!lebuf || !le_len || !*le_len)
return SC_ERROR_INVALID_ARGUMENTS; return SC_ERROR_INVALID_ARGUMENTS;
p = realloc(*lebuf, *le_len); p = realloc(*lebuf, *le_len);