Commit 3a28f55a authored by npzacs's avatar npzacs

Avoid integer overflows

parent 8ed5f650
......@@ -141,10 +141,19 @@ static int _validate_pk(const uint8_t *pk,
static int _rl_verify_signature(const uint8_t *rl, size_t size)
{
int entries = MKINT_BE32(rl + 12 + 8);
size_t len = 12 + 12 + 8 * entries; /* type_and_version_rec=12, rl_header=12, rl=entries*8 */
if (size < 40) {
BD_DEBUG(DBG_AACS, "too small revocation list\n");
return 0;
}
uint32_t entries = MKINT_BE32(rl + 12 + 8);
if (entries >= (0xffffffff - 24 - 40) / 8) {
BD_DEBUG(DBG_AACS, "invalid revocation list\n");
return 0;
}
if (len + 40 > size) {
size_t len = 12 + 12 + 8 * entries; /* type_and_version_rec=12, rl_header=12, rl=entries*8 */
if (len > size - 40) {
BD_DEBUG(DBG_AACS, "revocation list size mismatch\n");
return 0;
}
......
......@@ -238,11 +238,16 @@ const uint8_t *mkb_signature(MKB *mkb, size_t *len)
static int _cert_is_revoked(const uint8_t *rl, size_t rl_size, const uint8_t *cert_id_bin)
{
if (rl) {
if (rl && rl_size > 8) {
uint64_t cert_id = MKINT_BE48(cert_id_bin);
/*int total = MKINT_BE32(rl);*/
int entries = MKINT_BE32(rl + 4);
int ii;
uint32_t entries = MKINT_BE32(rl + 4);
unsigned ii;
if (entries >= (0xffffffff - 8 - 40) / 8) {
BD_DEBUG(DBG_MKB, "invalid revocation list\n");
return 0;
}
size_t rec_len = 4 + 4 + 8 * entries + 40;
if (rec_len > rl_size) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment