From 8fd5ffd54ed0211f97000eca023d8a8824b1e168 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Fri, 15 Nov 2019 18:35:41 +0100 Subject: [PATCH] simpletlv: Avoid writing before all sanity checks in sc_simpletlv_put_tag() --- src/libopensc/simpletlv.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/libopensc/simpletlv.c b/src/libopensc/simpletlv.c index 52090ead..18799253 100644 --- a/src/libopensc/simpletlv.c +++ b/src/libopensc/simpletlv.c @@ -49,19 +49,20 @@ sc_simpletlv_put_tag(u8 tag, size_t datalen, u8 *out, size_t outlen, u8 **ptr) /* tag is just number between 0x01 and 0xFE */ if (tag == 0x00 || tag == 0xff) return SC_ERROR_INVALID_ARGUMENTS; + if (datalen > 0xffff) { + /* we can't store more than two bytes in Simple TLV */ + return SC_ERROR_WRONG_LENGTH; + } *p++ = tag; /* tag is single byte */ if (datalen < 0xff) { /* short value up to 255 */ *p++ = (u8)datalen; /* is in the second byte */ - } else if (datalen < 0xffff) { + } else { /* longer values up to 65535 */ *p++ = (u8)0xff; /* first byte is 0xff */ *p++ = (u8)datalen & 0xff; *p++ = (u8)(datalen >> 8) & 0xff; /* LE */ - } else { - /* we can't store more than two bytes in Simple TLV */ - return SC_ERROR_WRONG_LENGTH; } if (ptr != NULL) *ptr = p;