lib: in _ykpiv_fetch_object() handle bogus length by returning
otherwise we might memmove() to much data Thanks to Eric Sesterhenn of x41 D-Sec for reporting this issue to us.
This commit is contained in:
committed by
Thordur Bjornsson
parent
01a127a44a
commit
80d47c82f0
@@ -1282,6 +1282,12 @@ ykpiv_rc _ykpiv_fetch_object(ykpiv_state *state, int object_id,
|
|||||||
if(offs == 0) {
|
if(offs == 0) {
|
||||||
return YKPIV_SIZE_ERROR;
|
return YKPIV_SIZE_ERROR;
|
||||||
}
|
}
|
||||||
|
if(outlen > offs + 1 + *len) {
|
||||||
|
if(state->verbose) {
|
||||||
|
fprintf(stderr, "Invalid length indicated in object, total objlen is %lu, indicated length is %lu.", *len, outlen);
|
||||||
|
}
|
||||||
|
return YKPIV_SIZE_ERROR;
|
||||||
|
}
|
||||||
memmove(data, data + 1 + offs, outlen);
|
memmove(data, data + 1 + offs, outlen);
|
||||||
*len = (unsigned long)outlen;
|
*len = (unsigned long)outlen;
|
||||||
return YKPIV_OK;
|
return YKPIV_OK;
|
||||||
|
|||||||
Reference in New Issue
Block a user