Bommels05/Mozilla
Bommels05/Mozilla
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 617565: Prevent buffer overflow in PK11_DeriveWithTemplate and

Browse Source 
pk11_AnyUnwrapKey template handling.  The patch is written by Brian Smith
<bsmith@mozilla.com>.  r=wtc.


git-svn-id: svn://10.0.0.236/trunk@262537 18797224-902f-48f8-a5cc-f745e15eee43
This commit is contained in:
wtc%google.com 2011-07-26 16:02:07 +00:00
parent 8215514e1a
commit 0d44d5c9f4
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
mozilla/security/nss/lib/pk11wrap/pk11skey.c
View File

@ -1457,7 +1457,9 @@ PK11_DeriveWithTemplate( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive,
CK_ULONG valueLen = 0;
CK_MECHANISM mechanism;
CK_RV crv;
CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS];
#define MAX_ADD_ATTRS 4
CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS + MAX_ADD_ATTRS];
#undef MAX_ADD_ATTRS
CK_ATTRIBUTE * attrs = keyTemplate;
CK_SESSION_HANDLE session;
unsigned int templateCount;
@ -1466,6 +1468,7 @@ PK11_DeriveWithTemplate( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive,
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
/* first copy caller attributes in. */
for (templateCount = 0; templateCount < numAttrs; ++templateCount) {
*attrs++ = *userAttr++;
@ -1495,7 +1498,7 @@ PK11_DeriveWithTemplate( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive,
}
templateCount = attrs - keyTemplate;
PR_ASSERT(templateCount <= MAX_TEMPL_ATTRS);
PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
/* move the key to a slot that can do the function */
if (!PK11_DoesMechanism(slot,derive)) {
@ -2024,7 +2027,9 @@ pk11_AnyUnwrapKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey,
CK_SESSION_HANDLE rwsession;
CK_RV crv;
CK_MECHANISM_INFO mechanism_info;
CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS];
#define MAX_ADD_ATTRS 4
CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS + MAX_ADD_ATTRS];
#undef MAX_ADD_ATTRS
CK_ATTRIBUTE * attrs = keyTemplate;
unsigned int templateCount;
@ -2032,6 +2037,7 @@ pk11_AnyUnwrapKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey,
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
/* first copy caller attributes in. */
for (templateCount = 0; templateCount < numAttrs; ++templateCount) {
*attrs++ = *userAttr++;