]> git.ipfire.org Git - thirdparty/hostap.git/commitdiff
projects / thirdparty / hostap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 231d86e)
PKCS#1: Do not use pointer value after freeing
authorJouni Malinen <j@w1.fi>
Sun, 17 Dec 2023 10:10:13 +0000 (12:10 +0200)
committerJouni Malinen <j@w1.fi>
Sun, 17 Dec 2023 10:17:10 +0000 (12:17 +0200)
The check for extra data was not dereferencing the pointer, but avoid
complaints about such uses by freeing the decrypted data only after the
check. The hexdump could have read freed memory, so that needs to be
before the freeing.

Fixes: 54ac6ff8c4a2 ("PKCS 1: Add function for checking v1.5 RSA signature")
Signed-off-by: Jouni Malinen <j@w1.fi>
src/tls/pkcs1.c patch | blob | blame | history

diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c
index 49e439d0276897c692927b4cbfce77c41b48c77f..7ea9cc7f32b09fdbf1cd82fb989eed4efab0730c 100644 (file)
--- a/src/tls/pkcs1.c
+++ b/src/tls/pkcs1.c
@@ -322,8 +322,6 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
                return -1;
        }
 
-       os_free(decrypted);
-
        if (hdr.payload + hdr.length != decrypted + decrypted_len) {
                wpa_printf(MSG_INFO,
                           "PKCS #1: Extra data after signature - reject");
@@ -332,8 +330,12 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
                            hdr.payload + hdr.length,
                            decrypted + decrypted_len - hdr.payload -
                            hdr.length);
+
+               os_free(decrypted);
                return -1;
        }
 
+       os_free(decrypted);
+
        return 0;
 }
Unnamed repository; edit this file 'description' to name the repository.