Check-in [633a24960e]
Overview
Comment:Fixed a couple of issues found setting up test cases for the AFL fuzzer
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1:633a24960ec641d02d36c5160ad588198aa96d1f
User & Date: rkeene on 2015-07-23 20:45:50
Other Links: manifest | tags
Context
2015-07-24
04:07
Added more fixes for memory leaks or use of uninitialized memory check-in: 846e77f0f5 user: rkeene tags: trunk
2015-07-23
20:45
Fixed a couple of issues found setting up test cases for the AFL fuzzer check-in: 633a24960e user: rkeene tags: trunk
18:28
Merged in reader filtering check-in: 30f9879615 user: rkeene tags: trunk
Changes

Modified cackey.c from [0922233e4d] to [c129398723].

  2830   2830   		identity->pcsc_identity->keysize = x509_to_keysize(identity->pcsc_identity->certificate, identity->pcsc_identity->certificate_len);
  2831   2831   	}
  2832   2832   
  2833   2833   	/* Pad message to key size */
  2834   2834   	if (padInput) {
  2835   2835   		if (identity->pcsc_identity->keysize > 0) {
  2836   2836   			if (buflen != identity->pcsc_identity->keysize) {
  2837         -				if (buflen > (identity->pcsc_identity->keysize + 3)) {
         2837  +				if (buflen > (identity->pcsc_identity->keysize - 3)) {
  2838   2838   					CACKEY_DEBUG_PRINTF("Error.  Message is too large to sign/decrypt");
  2839   2839   
  2840   2840   					return(-1);
  2841   2841   				}
  2842   2842   
  2843   2843   				tmpbuflen = identity->pcsc_identity->keysize;
  2844   2844   				tmpbuf = malloc(tmpbuflen);
  2845   2845   				free_tmpbuf = 1;
  2846   2846   
  2847   2847   				padlen = tmpbuflen - buflen - 3;
         2848  +
         2849  +				CACKEY_DEBUG_PRINTF("Need to pad the buffer with %llu bytes (tmpbuflen = %llu, buflen = %llu)", (unsigned long long) padlen, (unsigned long long) tmpbuflen, (unsigned long long) buflen);
  2848   2850   
  2849   2851   				/* RSA PKCS#1 EMSA-PKCS1-v1_5 Padding */
  2850   2852   				tmpbuf[0] = 0x00;
  2851   2853   				tmpbuf[1] = 0x01;
  2852   2854   				memset(&tmpbuf[2], 0xFF, padlen);
  2853   2855   				tmpbuf[padlen + 2]= 0x00;
  2854   2856   				memcpy(&tmpbuf[padlen + 3], buf, buflen);
................................................................................
  7185   7187   	CACKEY_DEBUG_PRINTF("Returning CKR_OK (%i)", CKR_OK);
  7186   7188   
  7187   7189   	return(CKR_OK);
  7188   7190   }
  7189   7191   
  7190   7192   CK_DEFINE_FUNCTION(CK_RV, C_SignUpdate)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen) {
  7191   7193   	int mutex_retval;
         7194  +	int resizeRetry;
         7195  +	int needResize;
  7192   7196   
  7193   7197   	CACKEY_DEBUG_PRINTF("Called.");
  7194   7198   
  7195   7199   	if (!cackey_initialized) {
  7196   7200   		CACKEY_DEBUG_PRINTF("Error.  Not initialized.");
  7197   7201   
  7198   7202   		return(CKR_CRYPTOKI_NOT_INITIALIZED);
................................................................................
  7245   7249   		
  7246   7250   		return(CKR_OPERATION_NOT_INITIALIZED);
  7247   7251   	}
  7248   7252   
  7249   7253   	switch (cackey_sessions[hSession].sign_mechanism) {
  7250   7254   		case CKM_RSA_PKCS:
  7251   7255   			/* Accumulate directly */
  7252         -			if ((cackey_sessions[hSession].sign_bufused + ulPartLen) > cackey_sessions[hSession].sign_buflen) {
         7256  +			for (resizeRetry = 0; resizeRetry < 11; resizeRetry++) {
         7257  +				needResize = 0;
         7258  +				if ((cackey_sessions[hSession].sign_bufused + ulPartLen) > cackey_sessions[hSession].sign_buflen) {
         7259  +					needResize = 1;
         7260  +				}
         7261  +
         7262  +				if (!needResize) {
         7263  +					break;
         7264  +				}
         7265  +
         7266  +				CACKEY_DEBUG_PRINTF("Resizing signing buffer (try #%i of 10 -- 11th is fatal)", resizeRetry);
         7267  +
         7268  +				if (resizeRetry == 10) {
         7269  +					free(cackey_sessions[hSession].sign_buf);
         7270  +
         7271  +					cackey_sessions[hSession].sign_buflen = 0;
         7272  +					cackey_sessions[hSession].sign_buf = NULL;
         7273  +
         7274  +					break;
         7275  +				}
         7276  +
  7253   7277   				cackey_sessions[hSession].sign_buflen *= 2;
  7254   7278   
  7255   7279   				cackey_sessions[hSession].sign_buf = realloc(cackey_sessions[hSession].sign_buf, sizeof(*cackey_sessions[hSession].sign_buf) * cackey_sessions[hSession].sign_buflen);
  7256   7280   			}
         7281  +
         7282  +			if (cackey_sessions[hSession].sign_buf == NULL) {
         7283  +				cackey_mutex_unlock(cackey_biglock);
         7284  +
         7285  +				CACKEY_DEBUG_PRINTF("Error.  Signing buffer is NULL.");
         7286  +
         7287  +				return(CKR_GENERAL_ERROR);
         7288  +			}
  7257   7289   
  7258   7290   			memcpy(cackey_sessions[hSession].sign_buf + cackey_sessions[hSession].sign_bufused, pPart, ulPartLen);
  7259   7291   
  7260   7292   			cackey_sessions[hSession].sign_bufused += ulPartLen;
  7261   7293   
  7262   7294   			break;
  7263   7295   	}