fixed misuse of realloc
calling it with size 0 leads to a free, which eventually may lead to a double free corruption.
This commit is contained in:
parent
d0b499cda3
commit
7f7bcbff52
|
@ -1225,6 +1225,8 @@ static int asn1_encode_se_info(sc_context_t *ctx,
|
||||||
if (ret != SC_SUCCESS)
|
if (ret != SC_SUCCESS)
|
||||||
goto err;
|
goto err;
|
||||||
|
|
||||||
|
if (!ptrlen)
|
||||||
|
continue;
|
||||||
p = (unsigned char *) realloc(out, outlen + ptrlen);
|
p = (unsigned char *) realloc(out, outlen + ptrlen);
|
||||||
if (!p) {
|
if (!p) {
|
||||||
ret = SC_ERROR_OUT_OF_MEMORY;
|
ret = SC_ERROR_OUT_OF_MEMORY;
|
||||||
|
|
|
@ -520,6 +520,10 @@ static int sc_hsm_perform_chip_authentication(sc_card_t *card)
|
||||||
r = sc_read_binary(card, 0, all_certs, all_certs_len, 0);
|
r = sc_read_binary(card, 0, all_certs, all_certs_len, 0);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
goto err;
|
goto err;
|
||||||
|
if (r == 0) {
|
||||||
|
r = SC_ERROR_FILE_NOT_FOUND;
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
all_certs_len = r;
|
all_certs_len = r;
|
||||||
|
|
||||||
|
|
|
@ -307,6 +307,8 @@ static int update_transparent(sc_card_t *card, sc_file_t *file)
|
||||||
free(buf);
|
free(buf);
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
if (!rec_size)
|
||||||
|
continue;
|
||||||
tmp = (u8 *) realloc(buf, buf_size + rec_size);
|
tmp = (u8 *) realloc(buf, buf_size + rec_size);
|
||||||
if (!tmp) {
|
if (!tmp) {
|
||||||
if (rec)
|
if (rec)
|
||||||
|
|
|
@ -1983,6 +1983,8 @@ sc_pkcs15_encode_df(struct sc_context *ctx, struct sc_pkcs15_card *p15card, stru
|
||||||
free(buf);
|
free(buf);
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
if (!tmpsize)
|
||||||
|
continue;
|
||||||
p = (u8 *) realloc(buf, bufsize + tmpsize);
|
p = (u8 *) realloc(buf, bufsize + tmpsize);
|
||||||
if (!p) {
|
if (!p) {
|
||||||
free(tmp);
|
free(tmp);
|
||||||
|
|
|
@ -672,7 +672,7 @@ int sc_file_set_prop_attr(sc_file_t *file, const u8 *prop_attr,
|
||||||
return SC_ERROR_INVALID_ARGUMENTS;
|
return SC_ERROR_INVALID_ARGUMENTS;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (prop_attr == NULL) {
|
if (prop_attr == NULL || prop_attr_len == 0) {
|
||||||
if (file->prop_attr != NULL)
|
if (file->prop_attr != NULL)
|
||||||
free(file->prop_attr);
|
free(file->prop_attr);
|
||||||
file->prop_attr = NULL;
|
file->prop_attr = NULL;
|
||||||
|
@ -702,7 +702,7 @@ int sc_file_set_type_attr(sc_file_t *file, const u8 *type_attr,
|
||||||
return SC_ERROR_INVALID_ARGUMENTS;
|
return SC_ERROR_INVALID_ARGUMENTS;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (type_attr == NULL) {
|
if (type_attr == NULL || type_attr_len == 0) {
|
||||||
if (file->type_attr != NULL)
|
if (file->type_attr != NULL)
|
||||||
free(file->type_attr);
|
free(file->type_attr);
|
||||||
file->type_attr = NULL;
|
file->type_attr = NULL;
|
||||||
|
@ -733,7 +733,7 @@ int sc_file_set_content(sc_file_t *file, const u8 *content,
|
||||||
return SC_ERROR_INVALID_ARGUMENTS;
|
return SC_ERROR_INVALID_ARGUMENTS;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (content == NULL) {
|
if (content == NULL || content_len == 0) {
|
||||||
if (file->encoded_content != NULL)
|
if (file->encoded_content != NULL)
|
||||||
free(file->encoded_content);
|
free(file->encoded_content);
|
||||||
file->encoded_content = NULL;
|
file->encoded_content = NULL;
|
||||||
|
|
|
@ -219,6 +219,8 @@ awp_update_blob(struct sc_context *ctx,
|
||||||
*blob_size += 1 + lv->len;
|
*blob_size += 1 + lv->len;
|
||||||
break;
|
break;
|
||||||
case TLV_TYPE_V :
|
case TLV_TYPE_V :
|
||||||
|
if (0 == *blob_size + lv->len)
|
||||||
|
return SC_ERROR_INVALID_DATA;
|
||||||
if (!(pp = realloc(*blob, *blob_size + lv->len)))
|
if (!(pp = realloc(*blob, *blob_size + lv->len)))
|
||||||
return SC_ERROR_OUT_OF_MEMORY;
|
return SC_ERROR_OUT_OF_MEMORY;
|
||||||
memcpy(pp + *blob_size, lv->value, lv->len);
|
memcpy(pp + *blob_size, lv->value, lv->len);
|
||||||
|
|
|
@ -478,7 +478,7 @@ static int format_mse_cdata(struct sc_context *ctx, int protocol,
|
||||||
r = SC_ERROR_INTERNAL;
|
r = SC_ERROR_INTERNAL;
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
if (length < 0) {
|
if (length <= 0) {
|
||||||
r = SC_ERROR_INTERNAL;
|
r = SC_ERROR_INTERNAL;
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
|
@ -1321,6 +1321,10 @@ int perform_pace(sc_card_t *card,
|
||||||
r = SC_ERROR_INTERNAL;
|
r = SC_ERROR_INTERNAL;
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
|
if (comp_pub_opp->length == 0) {
|
||||||
|
r = SC_ERROR_INTERNAL;
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
p = realloc(pace_output->id_icc, comp_pub_opp->length);
|
p = realloc(pace_output->id_icc, comp_pub_opp->length);
|
||||||
if (!p) {
|
if (!p) {
|
||||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Not enough memory for ID ICC.\n");
|
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Not enough memory for ID ICC.\n");
|
||||||
|
@ -1333,6 +1337,10 @@ int perform_pace(sc_card_t *card,
|
||||||
memcpy(pace_output->id_icc, comp_pub_opp->data, comp_pub_opp->length);
|
memcpy(pace_output->id_icc, comp_pub_opp->data, comp_pub_opp->length);
|
||||||
sc_debug_hex(card->ctx, SC_LOG_DEBUG_SM, "ID ICC", pace_output->id_icc,
|
sc_debug_hex(card->ctx, SC_LOG_DEBUG_SM, "ID ICC", pace_output->id_icc,
|
||||||
pace_output->id_icc_length);
|
pace_output->id_icc_length);
|
||||||
|
if (comp_pub->length == 0) {
|
||||||
|
r = SC_ERROR_INTERNAL;
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
p = realloc(pace_output->id_pcd, comp_pub->length);
|
p = realloc(pace_output->id_pcd, comp_pub->length);
|
||||||
if (!p) {
|
if (!p) {
|
||||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Not enough memory for ID PCD.\n");
|
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Not enough memory for ID PCD.\n");
|
||||||
|
@ -1927,7 +1935,7 @@ eac_sm_encrypt(sc_card_t *card, const struct iso_sm_ctx *ctx,
|
||||||
|
|
||||||
databuf = BUF_MEM_create_init(data, datalen);
|
databuf = BUF_MEM_create_init(data, datalen);
|
||||||
encbuf = EAC_encrypt(eacsmctx->ctx, databuf);
|
encbuf = EAC_encrypt(eacsmctx->ctx, databuf);
|
||||||
if (!databuf || !encbuf) {
|
if (!databuf || !encbuf || !encbuf->length) {
|
||||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not encrypt data.");
|
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not encrypt data.");
|
||||||
ssl_error(card->ctx);
|
ssl_error(card->ctx);
|
||||||
r = SC_ERROR_INTERNAL;
|
r = SC_ERROR_INTERNAL;
|
||||||
|
@ -1969,7 +1977,7 @@ eac_sm_decrypt(sc_card_t *card, const struct iso_sm_ctx *ctx,
|
||||||
|
|
||||||
encbuf = BUF_MEM_create_init(enc, enclen);
|
encbuf = BUF_MEM_create_init(enc, enclen);
|
||||||
databuf = EAC_decrypt(eacsmctx->ctx, encbuf);
|
databuf = EAC_decrypt(eacsmctx->ctx, encbuf);
|
||||||
if (!encbuf || !databuf) {
|
if (!encbuf || !databuf || !databuf->length) {
|
||||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not decrypt data.");
|
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not decrypt data.");
|
||||||
ssl_error(card->ctx);
|
ssl_error(card->ctx);
|
||||||
r = SC_ERROR_INTERNAL;
|
r = SC_ERROR_INTERNAL;
|
||||||
|
@ -2016,7 +2024,7 @@ eac_sm_authenticate(sc_card_t *card, const struct iso_sm_ctx *ctx,
|
||||||
}
|
}
|
||||||
|
|
||||||
macbuf = EAC_authenticate(eacsmctx->ctx, inbuf);
|
macbuf = EAC_authenticate(eacsmctx->ctx, inbuf);
|
||||||
if (!macbuf) {
|
if (!macbuf || !macbuf->length) {
|
||||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
|
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
|
||||||
"Could not compute message authentication code (MAC).");
|
"Could not compute message authentication code (MAC).");
|
||||||
ssl_error(card->ctx);
|
ssl_error(card->ctx);
|
||||||
|
@ -2105,7 +2113,7 @@ add_tag(unsigned char **asn1new, int constructed, int tag,
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
newlen = ASN1_object_size(constructed, len, tag);
|
newlen = ASN1_object_size(constructed, len, tag);
|
||||||
if (newlen < 0)
|
if (newlen <= 0)
|
||||||
return newlen;
|
return newlen;
|
||||||
|
|
||||||
p = OPENSSL_realloc(*asn1new, newlen);
|
p = OPENSSL_realloc(*asn1new, newlen);
|
||||||
|
|
|
@ -92,7 +92,12 @@ add_padding(const struct iso_sm_ctx *ctx, const u8 *data, size_t datalen,
|
||||||
switch (ctx->padding_indicator) {
|
switch (ctx->padding_indicator) {
|
||||||
case SM_NO_PADDING:
|
case SM_NO_PADDING:
|
||||||
if (*padded != data) {
|
if (*padded != data) {
|
||||||
p = realloc(*padded, datalen);
|
if (datalen == 0) {
|
||||||
|
free(*padded);
|
||||||
|
p = malloc(datalen);
|
||||||
|
} else {
|
||||||
|
p = realloc(*padded, datalen);
|
||||||
|
}
|
||||||
if (!p)
|
if (!p)
|
||||||
return SC_ERROR_OUT_OF_MEMORY;
|
return SC_ERROR_OUT_OF_MEMORY;
|
||||||
*padded = p;
|
*padded = p;
|
||||||
|
@ -146,7 +151,7 @@ static int format_le(size_t le, struct sc_asn1_entry *le_entry,
|
||||||
{
|
{
|
||||||
u8 *p;
|
u8 *p;
|
||||||
|
|
||||||
if (!lebuf || !le_len)
|
if (!lebuf || !le_len || !*le_len)
|
||||||
return SC_ERROR_INVALID_ARGUMENTS;
|
return SC_ERROR_INVALID_ARGUMENTS;
|
||||||
|
|
||||||
p = realloc(*lebuf, *le_len);
|
p = realloc(*lebuf, *le_len);
|
||||||
|
|
Loading…
Reference in New Issue