fixed out of bounds access/write

2015-01-28 07:00:02 +01:00 · 2015-01-28 07:00:02 +01:00 · 87b2403673
parent 68d86644fd
commit 87b2403673
7 changed files with 12 additions and 12 deletions
--- a/src/libopensc/card-epass2003.c
+++ b/src/libopensc/card-epass2003.c
@ -227,7 +227,7 @@ des3_encrypt_cbc(const unsigned char *key, int keysize, unsigned char iv[8],


 static int
-des3_decrypt_cbc(const unsigned char *key, int keysize, unsigned char iv[8],
+des3_decrypt_cbc(const unsigned char *key, int keysize, unsigned char iv[EVP_MAX_IV_LENGTH],
 		const unsigned char *input, size_t length, unsigned char *output)
 {
 	unsigned char bKey[24] = { 0 };
--- a/src/libopensc/card-myeid.c
+++ b/src/libopensc/card-myeid.c
@ -305,8 +305,8 @@ static int encode_file_structure(sc_card_t *card, const sc_file_t *file,
 		u8 *out, size_t *outlen)
 {
 	const sc_acl_entry_t *read, *update, *delete, *generate;
-	u8 buf[40];
-	int i;
+	u8 buf[41];
+	size_t i;

 	LOG_FUNC_CALLED(card->ctx);
 	/* PrivateKey
@ -412,7 +412,7 @@ static int encode_file_structure(sc_card_t *card, const sc_file_t *file,
 			buf[25] = 0x84;
 			buf[26] = (u8)file->namelen;

-			for(i=0;i < (int)file->namelen;i++)
+			for(i=0;i < file->namelen;i++)
 				buf[i + 26] = file->name[i];

 			buf[1] = 0x19 + file->namelen + 2;
--- a/src/libopensc/card-setcos.c
+++ b/src/libopensc/card-setcos.c
@ -438,7 +438,7 @@ static int setcos_create_file_44(sc_card_t *card, sc_file_t *file)
 		const int* p_idx;
 		int	       i;
 		int	       len = 0;
-		u8         bBuf[32];
+		u8         bBuf[64];

 		/* Get specific operation groups for specified file-type */
 		switch (file->type){
--- a/src/libopensc/ctbcs.c
+++ b/src/libopensc/ctbcs.c
@ -45,7 +45,7 @@ ctbcs_build_perform_verification_apdu(sc_apdu_t *apdu, struct sc_pin_cmd_data *d
 {
 	const char *prompt;
 	size_t buflen, count = 0, j = 0, len;
-	static u8 buf[254];
+	static u8 buf[256];
 	u8 control;

 	ctbcs_init_apdu(apdu,
@ -113,7 +113,7 @@ ctbcs_build_modify_verification_apdu(sc_apdu_t *apdu, struct sc_pin_cmd_data *da
 {
 	const char *prompt;
 	size_t buflen, count = 0, j = 0, len;
-	static u8 buf[254];
+	static u8 buf[256];
 	u8 control;

 	ctbcs_init_apdu(apdu,
--- a/src/pkcs15init/pkcs15-asepcos.c
+++ b/src/pkcs15init/pkcs15-asepcos.c
@ -510,7 +510,7 @@ static int asepcos_do_create_key(sc_card_t *card, size_t ksize, int fileid,
 	int       r;
 	size_t    len;
 	sc_file_t *nfile = NULL;
-	u8        buf[512], *p = buf;
+	u8        buf[1024], *p = buf;

 	if (sizeof(buf) < kdlen + 11)
 		return SC_ERROR_BUFFER_TOO_SMALL;
--- a/src/pkcs15init/pkcs15-openpgp.c
+++ b/src/pkcs15init/pkcs15-openpgp.c
@ -187,7 +187,7 @@ static int openpgp_generate_key(sc_profile_t *profile, sc_pkcs15_card_t *p15card

 	/* The OpenPGP supports only 32-bit exponent. */
 	key_info.exponent_len = 32;
-	key_info.exponent = calloc(4, 1);
+	key_info.exponent = calloc(key_info.exponent_len>>3, 1); /* 1/8 */
 	if (key_info.exponent == NULL)
 		LOG_FUNC_RETURN(ctx, SC_ERROR_NOT_ENOUGH_MEMORY);

@ -204,10 +204,10 @@ static int openpgp_generate_key(sc_profile_t *profile, sc_pkcs15_card_t *p15card

 	sc_log(ctx, "Set output exponent info");
 	pubkey->u.rsa.exponent.len = key_info.exponent_len;
-	pubkey->u.rsa.exponent.data = calloc(key_info.exponent_len, 1);
+	pubkey->u.rsa.exponent.data = calloc(key_info.exponent_len>>3, 1); /* 1/8 */
 	if (pubkey->u.rsa.exponent.data == NULL)
 		goto out;
-	memcpy(pubkey->u.rsa.exponent.data, key_info.exponent, key_info.exponent_len);
+	memcpy(pubkey->u.rsa.exponent.data, key_info.exponent, key_info.exponent_len>>3); /* 1/8 */

 out:
 	if (key_info.modulus)
--- a/src/tools/cryptoflex-tool.c
+++ b/src/tools/cryptoflex-tool.c
@ -716,7 +716,7 @@ static int encode_private_key(RSA *rsa, u8 *key, size_t *keysize)

 static int encode_public_key(RSA *rsa, u8 *key, size_t *keysize)
 {
-	u8 buf[512], *p = buf;
+	u8 buf[1024], *p = buf;
 	u8 bnbuf[256];
 	int base = 0;
 	int r;