diff options
| author | Bipin Ravi <bipin.ravi@arm.com> | 2023-02-06 03:20:56 +0100 |
|---|---|---|
| committer | TrustedFirmware Code Review <review@review.trustedfirmware.org> | 2023-02-06 03:20:56 +0100 |
| commit | 0b06ea7b18014fe7df81bc547551f1b7b5d3f240 (patch) | |
| tree | f721ff1752d43dfa353bdb8233fe734d9d313d0a | |
| parent | 779d1fbcdaa5679823fbbe3798ff14b8a36c08e1 (diff) | |
| parent | 187e79427dd09ae4b47128aa17975dc1310453bc (diff) | |
| download | arm-trusted-firmware-0b06ea7b18014fe7df81bc547551f1b7b5d3f240.tar.gz | |
Merge "fix(auth): avoid out-of-bounds read in auth_nvctr()" into lts-v2.8
| -rw-r--r-- | drivers/auth/auth_mod.c | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/drivers/auth/auth_mod.c b/drivers/auth/auth_mod.c index fa9509a0c..1bf03d409 100644 --- a/drivers/auth/auth_mod.c +++ b/drivers/auth/auth_mod.c @@ -243,7 +243,7 @@ static int auth_nvctr(const auth_method_param_nv_ctr_t *param, unsigned int *cert_nv_ctr, bool *need_nv_ctr_upgrade) { - char *p; + unsigned char *p; void *data_ptr = NULL; unsigned int data_len, len, i; unsigned int plat_nv_ctr; @@ -258,16 +258,24 @@ static int auth_nvctr(const auth_method_param_nv_ctr_t *param, /* Parse the DER encoded integer */ assert(data_ptr); - p = (char *)data_ptr; - if (*p != ASN1_INTEGER) { + p = (unsigned char *)data_ptr; + + /* + * Integers must be at least 3 bytes: 1 for tag, 1 for length, and 1 + * for value. The first byte (tag) must be ASN1_INTEGER. + */ + if ((data_len < 3) || (*p != ASN1_INTEGER)) { /* Invalid ASN.1 integer */ return 1; } p++; - /* NV-counters are unsigned integers up to 32-bit */ - len = (unsigned int)(*p & 0x7f); - if ((*p & 0x80) || (len > 4)) { + /* + * NV-counters are unsigned integers up to 31 bits. Trailing + * padding is not allowed. + */ + len = (unsigned int)*p; + if ((len > 4) || (data_len - 2 != len)) { return 1; } p++; |