diff options
| author | Benjamin Herrenschmidt <benh@kernel.crashing.org> | 2022-03-31 08:57:07 +1100 |
|---|---|---|
| committer | Benjamin Herrenschmidt <benh@kernel.crashing.org> | 2022-03-31 09:13:47 +1100 |
| commit | 43721bf5226fb8193dfcab3153254bddb91a2642 (patch) | |
| tree | e0cee71a6fe60cb5b4bd2fbef29f06c9f2f0e628 /lib/pkcs11.c | |
| parent | 0d6a6fd57033b95d703eec07ed11a28cddfafb2e (diff) | |
| download | gnutls-43721bf5226fb8193dfcab3153254bddb91a2642.tar.gz | |
Fix off-by one exit condition in pkcs#11 priv keys lookup
In function find_privkeys(), the list-> array is allocated to be of size
lists->key_ids_size. "current" is the index where the next found key will
be written (starts at 0).
The current exit condition is thus incorrect:
if (current > list->key_ids_size)
break;
This will allow "current" to be equal to list->key_ids_size which will
potentially cause an overflow if more keys are returned by the loop than
was originally found when calculating that size.
This is very unlikely, but incorrect nonetheless.
Fix this by using the more classic construct of testing for the array bound
in the loop exit condition, as suggested by Daiki Ueno.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Diffstat (limited to 'lib/pkcs11.c')
| -rw-r--r-- | lib/pkcs11.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/lib/pkcs11.c b/lib/pkcs11.c index a822b1b497..3ece1d9f8d 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -3081,7 +3081,8 @@ find_privkeys(struct pkcs11_session_info *sinfo, current = 0; while (pkcs11_find_objects (sinfo->module, sinfo->pks, &ctx, 1, &count) == CKR_OK - && count == 1) { + && count == 1 + && current < list->key_ids_size) { a[0].type = CKA_ID; a[0].value = certid_tmp; @@ -3098,9 +3099,6 @@ find_privkeys(struct pkcs11_session_info *sinfo, return gnutls_assert_val(ret); current++; } - - if (current > list->key_ids_size) - break; } pkcs11_find_objects_final(sinfo); |