projects / platform / upstream / iotivity.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c52d384)
[CONPRO-1354] Add length checks 10/194510/1
authorOleksii Beketov <ol.beketov@samsung.com>
Mon, 19 Nov 2018 17:15:52 +0000 (19:15 +0200)
committerDoHyun Pyun <dh79.pyun@samsung.com>
Wed, 5 Dec 2018 06:40:31 +0000 (15:40 +0900)
Added length checks before memcopies
in CheckInvalidDERSignature()

https://github.sec.samsung.net/RS7-IOTIVITY/IoTivity/pull/338
(cherry picked from commit f5bffc12019316989827988b13b5f18b87842a2f)

Change-Id: Ide87962a20a9154808a6de5ec739b0cf0c9ae735
Signed-off-by: Oleksii Beketov <ol.beketov@samsung.com>
Signed-off-by: DoHyun Pyun <dh79.pyun@samsung.com>
resource/csdk/security/src/pkix_interface.c patch | blob | history

diff --git a/resource/csdk/security/src/pkix_interface.c b/resource/csdk/security/src/pkix_interface.c
index f89be89cee7889308e9f88ad5bd81b3219ea935d..6a487a9dd00bf17591e11c67e753a11881bb3c39 100644 (file)
--- a/resource/csdk/security/src/pkix_interface.c
+++ b/resource/csdk/security/src/pkix_interface.c
@@ -32,6 +32,8 @@
 
 #define TAG "OIC_SRM_PKIX_INTERFACE"
 
+#define ECC256_SIG_LEN 32+4
+
 static HWPkixContext_t gHwPkixCtx = {
     .getHwKeyContext = NULL,
     .freeHwKeyContext = NULL,
@@ -165,6 +167,7 @@ void CheckInvalidDERSignature(uint8_t *crtBuf, size_t *crtBufLen)
                 if(NULL == derCrtBufTmp)
                 {
                     OIC_LOG (ERROR, TAG, "Failed to allocate memory.");
+                    OICFree(certCopy);
                     goto exit;
                 }
 
@@ -195,8 +198,8 @@ void CheckInvalidDERSignature(uint8_t *crtBuf, size_t *crtBufLen)
         * | tag (INTEGER) | length (1B) | value (r or s in integer)  |
         * +---------------+-------------+----------------------------+
         */
-        uint8_t r_buf[32 + 4]; // for ECC 256 sign
-        uint8_t s_buf[32 + 4];
+        uint8_t r_buf[ECC256_SIG_LEN]; // for ECC 256 sign
+        uint8_t s_buf[ECC256_SIG_LEN];
         uint32_t r_len = 0;
         uint32_t s_len = 0;
         size_t sign_len = 0;
@@ -237,7 +240,7 @@ void CheckInvalidDERSignature(uint8_t *crtBuf, size_t *crtBufLen)
             {
                 r_len = sign_ptr[1] + 2; // including header itself
             }
-            if (r_len > deviceCert.sig.len)
+            if (r_len > deviceCert.sig.len || r_len > ECC256_SIG_LEN)
             {
                 OIC_LOG_V(ERROR, TAG, "signature length check error #1 : %d", ret);
                 goto exit;
@@ -254,7 +257,7 @@ void CheckInvalidDERSignature(uint8_t *crtBuf, size_t *crtBufLen)
             {
                 s_len = sign_ptr[1] + 2; // including header itself
             }
-            if (s_len + r_len > deviceCert.sig.len)
+            if (s_len + r_len > deviceCert.sig.len || s_len > ECC256_SIG_LEN)
             {
                 OIC_LOG_V(ERROR, TAG, "signature length check error #2 : %d", ret);
                 goto exit;
Domain: Network & Connectivity / IoT Connectivity;