From 80d47c82f019d6676e8cc5392a31d7478af8015e Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Tue, 22 May 2018 13:31:50 +0200 Subject: [PATCH] lib: in _ykpiv_fetch_object() handle bogus length by returning otherwise we might memmove() to much data Thanks to Eric Sesterhenn of x41 D-Sec for reporting this issue to us. --- lib/ykpiv.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/ykpiv.c b/lib/ykpiv.c index 4e65128..83738c3 100644 --- a/lib/ykpiv.c +++ b/lib/ykpiv.c @@ -1282,6 +1282,12 @@ ykpiv_rc _ykpiv_fetch_object(ykpiv_state *state, int object_id, if(offs == 0) { return YKPIV_SIZE_ERROR; } + if(outlen > offs + 1 + *len) { + if(state->verbose) { + fprintf(stderr, "Invalid length indicated in object, total objlen is %lu, indicated length is %lu.", *len, outlen); + } + return YKPIV_SIZE_ERROR; + } memmove(data, data + 1 + offs, outlen); *len = (unsigned long)outlen; return YKPIV_OK;