diff options
| author | wtc%google.com <devnull@localhost> | 2011-07-26 16:09:20 +0000 |
|---|---|---|
| committer | wtc%google.com <devnull@localhost> | 2011-07-26 16:09:20 +0000 |
| commit | 20b6ebf47bf7c315b60c5a9cb0efe61a1cbdaf35 (patch) | |
| tree | e0cf3f5c22ec0074a44a0feb6beb6e6e2342f7f2 | |
| parent | 538e5256abee1e658be6d2a2206454c0be2103ab (diff) | |
| download | nss-hg-NSS_3_12_11_BETA1.tar.gz | |
Bug 617565: Prevent buffer overflow in PK11_DeriveWithTemplate andNSS_3_12_11_BETA1
pk11_AnyUnwrapKey template handling. The patch is written by Brian Smith
<bsmith@mozilla.com>. r=wtc.
Tag: NSS_3_12_BRANCH
| -rw-r--r-- | security/nss/lib/pk11wrap/pk11skey.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c index ae72f52e7..0cc7cea60 100644 --- a/security/nss/lib/pk11wrap/pk11skey.c +++ b/security/nss/lib/pk11wrap/pk11skey.c @@ -1457,7 +1457,9 @@ PK11_DeriveWithTemplate( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, CK_ULONG valueLen = 0; CK_MECHANISM mechanism; CK_RV crv; - CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; +#define MAX_ADD_ATTRS 4 + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS + MAX_ADD_ATTRS]; +#undef MAX_ADD_ATTRS CK_ATTRIBUTE * attrs = keyTemplate; CK_SESSION_HANDLE session; unsigned int templateCount; @@ -1466,6 +1468,7 @@ PK11_DeriveWithTemplate( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } + /* first copy caller attributes in. */ for (templateCount = 0; templateCount < numAttrs; ++templateCount) { *attrs++ = *userAttr++; @@ -1495,7 +1498,7 @@ PK11_DeriveWithTemplate( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, } templateCount = attrs - keyTemplate; - PR_ASSERT(templateCount <= MAX_TEMPL_ATTRS); + PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE)); /* move the key to a slot that can do the function */ if (!PK11_DoesMechanism(slot,derive)) { @@ -2024,7 +2027,9 @@ pk11_AnyUnwrapKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey, CK_SESSION_HANDLE rwsession; CK_RV crv; CK_MECHANISM_INFO mechanism_info; - CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; +#define MAX_ADD_ATTRS 4 + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS + MAX_ADD_ATTRS]; +#undef MAX_ADD_ATTRS CK_ATTRIBUTE * attrs = keyTemplate; unsigned int templateCount; @@ -2032,6 +2037,7 @@ pk11_AnyUnwrapKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey, PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } + /* first copy caller attributes in. */ for (templateCount = 0; templateCount < numAttrs; ++templateCount) { *attrs++ = *userAttr++; |