[Skiboot] [PATCH 5/7] pkcs7: pkcs7_get_content_info_type should reset *p on error
Daniel Axtens
dja at axtens.net
Thu Jul 1 22:41:04 AEST 2021
Fuzzing revealed a crash where pkcs7_get_signed_data was accessing beyond
the bounds of the object, despite valid data being passed in to
mbedtls_pkcs7_parse_der.
Further investigation revealed that pkcs7_get_content_info_type will
reset *p to start if the second call to mbedtls_asn1_get_tag fails,
but not if the first call fails.
mbedtls_asn1_get_tag does indeed advance *p even in some failure
cases, so a reset is required.
Reset *p to start if the first call to mbedtls_asn1_get_tag fails.
Signed-off-by: Daniel Axtens <dja at axtens.net>
---
libstb/crypto/pkcs7/pkcs7.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libstb/crypto/pkcs7/pkcs7.c b/libstb/crypto/pkcs7/pkcs7.c
index 4407e201a4cc..a523a9d42a16 100644
--- a/libstb/crypto/pkcs7/pkcs7.c
+++ b/libstb/crypto/pkcs7/pkcs7.c
@@ -151,8 +151,10 @@ static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end,
ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SEQUENCE );
- if( ret != 0 )
+ if( ret != 0 ) {
+ *p = start;
return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO + ret );
+ }
ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OID );
if( ret != 0 ) {
--
2.30.2
More information about the Skiboot
mailing list