fixed out of bounds read/write/access

2015-02-04 09:24:50 +01:00 · 2015-02-04 09:24:50 +01:00 · 8d902d1ed3
parent a4c8d67110
commit 8d902d1ed3
9 changed files with 13 additions and 13 deletions
--- a/src/libopensc/card-epass2003.c
+++ b/src/libopensc/card-epass2003.c
@ -209,7 +209,7 @@ des3_encrypt_ecb(const unsigned char *key, int keysize,


 static int
-des3_encrypt_cbc(const unsigned char *key, int keysize, unsigned char iv[8],
+des3_encrypt_cbc(const unsigned char *key, int keysize, unsigned char iv[EVP_MAX_IV_LENGTH],
 		const unsigned char *input, size_t length, unsigned char *output)
 {
 	unsigned char bKey[24] = { 0 };
@ -244,7 +244,7 @@ des3_decrypt_cbc(const unsigned char *key, int keysize, unsigned char iv[EVP_MAX


 static int
-des_encrypt_cbc(const unsigned char *key, int keysize, unsigned char iv[8],
+des_encrypt_cbc(const unsigned char *key, int keysize, unsigned char iv[EVP_MAX_IV_LENGTH],
 		const unsigned char *input, size_t length, unsigned char *output)
 {
 	return openssl_enc(EVP_des_cbc(), key, iv, input, length, output);
@ -252,7 +252,7 @@ des_encrypt_cbc(const unsigned char *key, int keysize, unsigned char iv[8],


 static int
-des_decrypt_cbc(const unsigned char *key, int keysize, unsigned char iv[8],
+des_decrypt_cbc(const unsigned char *key, int keysize, unsigned char iv[EVP_MAX_IV_LENGTH],
 		const unsigned char *input, size_t length, unsigned char *output)
 {
 	return openssl_dec(EVP_des_cbc(), key, iv, input, length, output);
--- a/src/libopensc/card-myeid.c
+++ b/src/libopensc/card-myeid.c
@ -407,7 +407,7 @@ static int encode_file_structure(sc_card_t *card, const sc_file_t *file,

 	case SC_FILE_TYPE_DF:
 		buf[8] = 0x38;
-		if(file->namelen > 0 && file->namelen <= 16)
+		if(file->namelen > 0 && file->namelen < 16)
 		{
 			buf[25] = 0x84;
 			buf[26] = (u8)file->namelen;
--- a/src/libopensc/card-oberthur.c
+++ b/src/libopensc/card-oberthur.c
@ -2014,7 +2014,7 @@ write_publickey (struct sc_card *card, unsigned int offset,
 	sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,
 		"write_publickey in %d bytes :\n%s", count, debug_buf);

-	if (offset > sizeof(rsa_der))
+	if (1+offset > sizeof(rsa_der))
 		SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_INVALID_ARGUMENTS, "Invalid offset value");

 	len = offset+count > sizeof(rsa_der) ? sizeof(rsa_der) - offset : count;
@ -2113,7 +2113,7 @@ auth_read_binary(struct sc_card *card, unsigned int offset,
 	if (auth_current_ef->magic==SC_FILE_MAGIC &&
             auth_current_ef->ef_structure == SC_CARDCTL_OBERTHUR_KEY_RSA_PUBLIC)   {
 		int jj;
-		unsigned char resp[0x100], *out = NULL;
+		unsigned char resp[SC_MAX_APDU_BUFFER_SIZE], *out = NULL;
 		size_t resp_len, out_len;
 		struct sc_pkcs15_bignum bn[2];
 		struct sc_pkcs15_pubkey_rsa key;
--- a/src/libopensc/ctbcs.c
+++ b/src/libopensc/ctbcs.c
@ -58,7 +58,7 @@ ctbcs_build_perform_verification_apdu(sc_apdu_t *apdu, struct sc_pin_cmd_data *d
 	prompt = data->pin1.prompt;
 	if (prompt && *prompt) {
 		len = strlen(prompt);
-		if (count + len + 2 > buflen || len > 255)
+		if (count + len + 2 > buflen || len > 254)
 			return SC_ERROR_BUFFER_TOO_SMALL;
 		buf[count++] = CTBCS_TAG_PROMPT;
 		buf[count++] = len;
@ -126,7 +126,7 @@ ctbcs_build_modify_verification_apdu(sc_apdu_t *apdu, struct sc_pin_cmd_data *da
 	prompt = data->pin1.prompt;
 	if (prompt && *prompt) {
 		len = strlen(prompt);
-		if (count + len + 2 > buflen || len > 255)
+		if (count + len + 2 > buflen || len > 254)
 			return SC_ERROR_BUFFER_TOO_SMALL;
 		buf[count++] = CTBCS_TAG_PROMPT;
 		buf[count++] = len;
--- a/src/libopensc/pkcs15-postecert.c
+++ b/src/libopensc/pkcs15-postecert.c
@ -221,7 +221,7 @@ static int sc_pkcs15emu_postecert_init(sc_pkcs15_card_t * p15card)
 			count_cert[o] =
 			    (*(certi + i + 2) << 8) + *(certi + i + 3) + 4;
 			o++;
-			if (o > 4)
+			if (o >= 4)
 				break;
 			i += (*(certi + i + 2) << 8) + *(certi + i + 3);
 		}
--- a/src/pkcs15init/pkcs15-asepcos.c
+++ b/src/pkcs15init/pkcs15-asepcos.c
@ -512,7 +512,7 @@ static int asepcos_do_create_key(sc_card_t *card, size_t ksize, int fileid,
 	sc_file_t *nfile = NULL;
 	u8        buf[1024], *p = buf;

-	if (sizeof(buf) < kdlen + 11)
+	if (sizeof(buf) < kdlen + 12)
 		return SC_ERROR_BUFFER_TOO_SMALL;

 	*p++ = 0x85;
--- a/src/pkcs15init/profile.c
+++ b/src/pkcs15init/profile.c
@ -1301,7 +1301,7 @@ do_fileid(struct state *cur, int argc, char **argv)
 			parse_error(cur, "No path/fileid set for parent DF\n");
 			return 1;
 		}
-		if (df->path.len + 2 > sizeof(df->path)) {
+		if (df->path.len + 2 > sizeof(df->path.value)) {
 			parse_error(cur, "File path too long\n");
 			return 1;
 		}
--- a/src/tests/lottery.c
+++ b/src/tests/lottery.c
@ -49,7 +49,7 @@ int main(int argc, char *argv[])
 			printf("Lottery: ");
 			for (i = 0; i < 7; i++) {
 				unsigned short s = buf[2 * i] + (buf[2 * i + 1] << 8);
-				int lot = s % (left + 1);
+				int lot = s % left;
 				int num = nbuf[lot];

 				nbuf[lot] = nbuf[left - 1];
--- a/src/tools/cryptoflex-tool.c
+++ b/src/tools/cryptoflex-tool.c
@ -642,7 +642,7 @@ static int read_rsa_privkey(RSA **rsa_out)

 static int encode_private_key(RSA *rsa, u8 *key, size_t *keysize)
 {
-	u8 buf[512], *p = buf;
+	u8 buf[1024], *p = buf;
 	u8 bnbuf[256];
 	int base = 0;
 	int r;