lib: in _ykpiv_fetch_object() handle bogus length by returning
otherwise we might memmove() to much data Thanks to Eric Sesterhenn of x41 D-Sec for reporting this issue to us.
This commit is contained in:
committed by
Thordur Bjornsson
parent
01a127a44a
commit
80d47c82f0
@@ -1282,6 +1282,12 @@ ykpiv_rc _ykpiv_fetch_object(ykpiv_state *state, int object_id,
|
||||
if(offs == 0) {
|
||||
return YKPIV_SIZE_ERROR;
|
||||
}
|
||||
if(outlen > offs + 1 + *len) {
|
||||
if(state->verbose) {
|
||||
fprintf(stderr, "Invalid length indicated in object, total objlen is %lu, indicated length is %lu.", *len, outlen);
|
||||
}
|
||||
return YKPIV_SIZE_ERROR;
|
||||
}
|
||||
memmove(data, data + 1 + offs, outlen);
|
||||
*len = (unsigned long)outlen;
|
||||
return YKPIV_OK;
|
||||
|
||||
Reference in New Issue
Block a user