]> git.ipfire.org Git - thirdparty/qemu.git/commitdiff
projects / thirdparty / qemu.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c45b460)
hw/uefi: verify data size before accessing it in wrap_pkcs7
authorGerd Hoffmann <kraxel@redhat.com>
Wed, 22 Apr 2026 09:29:08 +0000 (11:29 +0200)
committerGerd Hoffmann <kraxel@redhat.com>
Fri, 8 May 2026 07:10:38 +0000 (09:10 +0200)
Fixes: CVE-2026-41439
Fixes: 3e33af2cb306 ("hw/uefi: add var-service-pkcs7.c")
Reported-by: Katherine Leaver <katherine.j.leaver@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20260422092910.444997-6-kraxel@redhat.com>

hw/uefi/var-service-pkcs7.c patch | blob | blame | history

diff --git a/hw/uefi/var-service-pkcs7.c b/hw/uefi/var-service-pkcs7.c
index 32accf4e44e0a1908391a1687acb9b19ae01dca5..f17ad6872fd284f701d929b7e33ccb985fbc02fa 100644 (file)
--- a/hw/uefi/var-service-pkcs7.c
+++ b/hw/uefi/var-service-pkcs7.c
@@ -73,7 +73,8 @@ static void wrap_pkcs7(gnutls_datum_t *pkcs7)
     };
     gnutls_datum_t wrap;
 
-    if (pkcs7->data[4] == 0x06 &&
+    if (pkcs7->size > 16 &&
+        pkcs7->data[4] == 0x06 &&
         pkcs7->data[5] == 0x09 &&
         memcmp(pkcs7->data + 6, signed_data_oid, sizeof(signed_data_oid)) == 0 &&
         pkcs7->data[15] == 0x0a &&
Mirror of https://git.qemu.org/git/qemu.git