diff options
| author | Daniel Axtens <dja@axtens.net> | 2021-07-21 14:00:30 +1000 |
|---|---|---|
| committer | Vasant Hegde <hegdevasant@linux.vnet.ibm.com> | 2021-07-22 12:10:36 +0530 |
| commit | 6e2f254c6d8632ac3912877db887795cd9a61c85 (patch) | |
| tree | 37a330c45d1be2aa64c822aff83e6ea96f6f9366 /libstb/crypto/pkcs7 | |
| parent | 835113a74c77fe43eb51e11303ad0ceaf6e15893 (diff) | |
| download | skiboot-6e2f254c6d8632ac3912877db887795cd9a61c85.zip skiboot-6e2f254c6d8632ac3912877db887795cd9a61c85.tar.gz skiboot-6e2f254c6d8632ac3912877db887795cd9a61c85.tar.bz2 | |
pkcs7: pkcs7_get_content_info_type should reset *p on error
[ Upstream commit d8e13853e506e00713d15fa5e23457ba21a16829 ]
Fuzzing revealed a crash where pkcs7_get_signed_data was accessing beyond
the bounds of the object, despite valid data being passed in to
mbedtls_pkcs7_parse_der.
Further investigation revealed that pkcs7_get_content_info_type will
reset *p to start if the second call to mbedtls_asn1_get_tag fails,
but not if the first call fails.
mbedtls_asn1_get_tag does indeed advance *p even in some failure
cases, so a reset is required.
Reset *p to start if the first call to mbedtls_asn1_get_tag fails.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
Tested-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Diffstat (limited to 'libstb/crypto/pkcs7')
| -rw-r--r-- | libstb/crypto/pkcs7/pkcs7.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/libstb/crypto/pkcs7/pkcs7.c b/libstb/crypto/pkcs7/pkcs7.c index 4407e20..a523a9d 100644 --- a/libstb/crypto/pkcs7/pkcs7.c +++ b/libstb/crypto/pkcs7/pkcs7.c @@ -151,8 +151,10 @@ static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end, ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ); - if( ret != 0 ) + if( ret != 0 ) { + *p = start; return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO + ret ); + } ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OID ); if( ret != 0 ) { |