fixed out of bounds read/write/access
This commit is contained in:
parent
a4c8d67110
commit
8d902d1ed3
|
@ -209,7 +209,7 @@ des3_encrypt_ecb(const unsigned char *key, int keysize,
|
|||
|
||||
|
||||
static int
|
||||
des3_encrypt_cbc(const unsigned char *key, int keysize, unsigned char iv[8],
|
||||
des3_encrypt_cbc(const unsigned char *key, int keysize, unsigned char iv[EVP_MAX_IV_LENGTH],
|
||||
const unsigned char *input, size_t length, unsigned char *output)
|
||||
{
|
||||
unsigned char bKey[24] = { 0 };
|
||||
|
@ -244,7 +244,7 @@ des3_decrypt_cbc(const unsigned char *key, int keysize, unsigned char iv[EVP_MAX
|
|||
|
||||
|
||||
static int
|
||||
des_encrypt_cbc(const unsigned char *key, int keysize, unsigned char iv[8],
|
||||
des_encrypt_cbc(const unsigned char *key, int keysize, unsigned char iv[EVP_MAX_IV_LENGTH],
|
||||
const unsigned char *input, size_t length, unsigned char *output)
|
||||
{
|
||||
return openssl_enc(EVP_des_cbc(), key, iv, input, length, output);
|
||||
|
@ -252,7 +252,7 @@ des_encrypt_cbc(const unsigned char *key, int keysize, unsigned char iv[8],
|
|||
|
||||
|
||||
static int
|
||||
des_decrypt_cbc(const unsigned char *key, int keysize, unsigned char iv[8],
|
||||
des_decrypt_cbc(const unsigned char *key, int keysize, unsigned char iv[EVP_MAX_IV_LENGTH],
|
||||
const unsigned char *input, size_t length, unsigned char *output)
|
||||
{
|
||||
return openssl_dec(EVP_des_cbc(), key, iv, input, length, output);
|
||||
|
|
|
@ -407,7 +407,7 @@ static int encode_file_structure(sc_card_t *card, const sc_file_t *file,
|
|||
|
||||
case SC_FILE_TYPE_DF:
|
||||
buf[8] = 0x38;
|
||||
if(file->namelen > 0 && file->namelen <= 16)
|
||||
if(file->namelen > 0 && file->namelen < 16)
|
||||
{
|
||||
buf[25] = 0x84;
|
||||
buf[26] = (u8)file->namelen;
|
||||
|
|
|
@ -2014,7 +2014,7 @@ write_publickey (struct sc_card *card, unsigned int offset,
|
|||
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,
|
||||
"write_publickey in %d bytes :\n%s", count, debug_buf);
|
||||
|
||||
if (offset > sizeof(rsa_der))
|
||||
if (1+offset > sizeof(rsa_der))
|
||||
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_INVALID_ARGUMENTS, "Invalid offset value");
|
||||
|
||||
len = offset+count > sizeof(rsa_der) ? sizeof(rsa_der) - offset : count;
|
||||
|
@ -2113,7 +2113,7 @@ auth_read_binary(struct sc_card *card, unsigned int offset,
|
|||
if (auth_current_ef->magic==SC_FILE_MAGIC &&
|
||||
auth_current_ef->ef_structure == SC_CARDCTL_OBERTHUR_KEY_RSA_PUBLIC) {
|
||||
int jj;
|
||||
unsigned char resp[0x100], *out = NULL;
|
||||
unsigned char resp[SC_MAX_APDU_BUFFER_SIZE], *out = NULL;
|
||||
size_t resp_len, out_len;
|
||||
struct sc_pkcs15_bignum bn[2];
|
||||
struct sc_pkcs15_pubkey_rsa key;
|
||||
|
|
|
@ -58,7 +58,7 @@ ctbcs_build_perform_verification_apdu(sc_apdu_t *apdu, struct sc_pin_cmd_data *d
|
|||
prompt = data->pin1.prompt;
|
||||
if (prompt && *prompt) {
|
||||
len = strlen(prompt);
|
||||
if (count + len + 2 > buflen || len > 255)
|
||||
if (count + len + 2 > buflen || len > 254)
|
||||
return SC_ERROR_BUFFER_TOO_SMALL;
|
||||
buf[count++] = CTBCS_TAG_PROMPT;
|
||||
buf[count++] = len;
|
||||
|
@ -126,7 +126,7 @@ ctbcs_build_modify_verification_apdu(sc_apdu_t *apdu, struct sc_pin_cmd_data *da
|
|||
prompt = data->pin1.prompt;
|
||||
if (prompt && *prompt) {
|
||||
len = strlen(prompt);
|
||||
if (count + len + 2 > buflen || len > 255)
|
||||
if (count + len + 2 > buflen || len > 254)
|
||||
return SC_ERROR_BUFFER_TOO_SMALL;
|
||||
buf[count++] = CTBCS_TAG_PROMPT;
|
||||
buf[count++] = len;
|
||||
|
|
|
@ -221,7 +221,7 @@ static int sc_pkcs15emu_postecert_init(sc_pkcs15_card_t * p15card)
|
|||
count_cert[o] =
|
||||
(*(certi + i + 2) << 8) + *(certi + i + 3) + 4;
|
||||
o++;
|
||||
if (o > 4)
|
||||
if (o >= 4)
|
||||
break;
|
||||
i += (*(certi + i + 2) << 8) + *(certi + i + 3);
|
||||
}
|
||||
|
|
|
@ -512,7 +512,7 @@ static int asepcos_do_create_key(sc_card_t *card, size_t ksize, int fileid,
|
|||
sc_file_t *nfile = NULL;
|
||||
u8 buf[1024], *p = buf;
|
||||
|
||||
if (sizeof(buf) < kdlen + 11)
|
||||
if (sizeof(buf) < kdlen + 12)
|
||||
return SC_ERROR_BUFFER_TOO_SMALL;
|
||||
|
||||
*p++ = 0x85;
|
||||
|
|
|
@ -1301,7 +1301,7 @@ do_fileid(struct state *cur, int argc, char **argv)
|
|||
parse_error(cur, "No path/fileid set for parent DF\n");
|
||||
return 1;
|
||||
}
|
||||
if (df->path.len + 2 > sizeof(df->path)) {
|
||||
if (df->path.len + 2 > sizeof(df->path.value)) {
|
||||
parse_error(cur, "File path too long\n");
|
||||
return 1;
|
||||
}
|
||||
|
|
|
@ -49,7 +49,7 @@ int main(int argc, char *argv[])
|
|||
printf("Lottery: ");
|
||||
for (i = 0; i < 7; i++) {
|
||||
unsigned short s = buf[2 * i] + (buf[2 * i + 1] << 8);
|
||||
int lot = s % (left + 1);
|
||||
int lot = s % left;
|
||||
int num = nbuf[lot];
|
||||
|
||||
nbuf[lot] = nbuf[left - 1];
|
||||
|
|
|
@ -642,7 +642,7 @@ static int read_rsa_privkey(RSA **rsa_out)
|
|||
|
||||
static int encode_private_key(RSA *rsa, u8 *key, size_t *keysize)
|
||||
{
|
||||
u8 buf[512], *p = buf;
|
||||
u8 buf[1024], *p = buf;
|
||||
u8 bnbuf[256];
|
||||
int base = 0;
|
||||
int r;
|
||||
|
|
Loading…
Reference in New Issue