File yubico-piv-tool-2.3.0-use-after-free.patch of Package yubico-piv-tool

Overview Repositories Revisions Requests Users Attributes Meta

File yubico-piv-tool-2.3.0-use-after-free.patch of Package yubico-piv-tool

From 07d280a83f5145017de4ebf6a2af21658e22fddf Mon Sep 17 00:00:00 2001
From: Veronika Hanulikova <vhanulik@redhat.com>
Date: Wed, 2 Mar 2022 10:32:48 +0100
Subject: [PATCH] Fix use after free

Causes errors "may be used after 'free'", since
`dec` is not allocated again after `free()`.
Also, removed assigning of `sizeof(dec)`, because
`dec` is not static array, but allocated.
---
 ykcs11/tests/ykcs11_tests_util.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/ykcs11/tests/ykcs11_tests_util.c b/ykcs11/tests/ykcs11_tests_util.c
index e63091e9..530d9028 100644
--- a/ykcs11/tests/ykcs11_tests_util.c
+++ b/ykcs11/tests/ykcs11_tests_util.c
@@ -1193,7 +1193,7 @@ void test_rsa_decrypt(CK_FUNCTION_LIST_PTR funcs, CK_SESSION_HANDLE session, CK_
   CK_BYTE*  data;
   CK_BYTE   enc[512] = {0};
   CK_BYTE*  dec;
-  CK_ULONG  dec_len;
+  CK_ULONG  dec_len, dec_len_backup;
 
   if(padding == RSA_NO_PADDING) {
     data_len = RSA_size(rsak);
@@ -1228,12 +1228,14 @@ void test_rsa_decrypt(CK_FUNCTION_LIST_PTR funcs, CK_SESSION_HANDLE session, CK_
       // Decrypt Update
       asrt(funcs->C_DecryptInit(session, &mech, obj_pvtkey[i]), CKR_OK, "DECRYPT INIT");
       asrt(funcs->C_Login(session, CKU_CONTEXT_SPECIFIC, (CK_CHAR_PTR)"123456", 6), CKR_OK, "Re-Login USER");
-      dec_len = sizeof(dec);
+      dec = malloc(dec_len);
+      dec_len_backup = dec_len;
       asrt(funcs->C_DecryptUpdate(session, enc, 100, dec, &dec_len), CKR_OK, "DECRYPT UPDATE");
-      dec_len = sizeof(dec);
+      dec_len = dec_len_backup;
       asrt(funcs->C_DecryptUpdate(session, enc+100, 8, dec, &dec_len), CKR_OK, "DECRYPT UPDATE");
-      dec_len = sizeof(dec);
+      dec_len = dec_len_backup;
       asrt(funcs->C_DecryptUpdate(session, enc+108, 20, dec, &dec_len), CKR_OK, "DECRYPT UPDATE");
+      free(dec);
       dec_len = 0;
       asrt(funcs->C_DecryptFinal(session, NULL, &dec_len), CKR_OK, "DECRYPT FINAL");
       dec = malloc(dec_len);

Places

File yubico-piv-tool-2.3.0-use-after-free.patch of Package yubico-piv-tool

Places