lib: in _ykpiv_fetch_object() handle bogus length by returning

otherwise we might memmove() to much data

Thanks to Eric Sesterhenn of x41 D-Sec for reporting this issue to us.
This commit is contained in:
Klas Lindfors
2018-05-22 13:31:50 +02:00
committed by Thordur Bjornsson
parent 01a127a44a
commit 80d47c82f0
+6
View File
@@ -1282,6 +1282,12 @@ ykpiv_rc _ykpiv_fetch_object(ykpiv_state *state, int object_id,
if(offs == 0) {
return YKPIV_SIZE_ERROR;
}
if(outlen > offs + 1 + *len) {
if(state->verbose) {
fprintf(stderr, "Invalid length indicated in object, total objlen is %lu, indicated length is %lu.", *len, outlen);
}
return YKPIV_SIZE_ERROR;
}
memmove(data, data + 1 + offs, outlen);
*len = (unsigned long)outlen;
return YKPIV_OK;