From: Hao Fang fanghao11@huawei.com
If flen > num_bytes, need to free from_buffer. The reasonable operation is put the size check before the memory malloc.
Signed-off-by: Hao Fang fanghao11@huawei.com --- src/uadk_rsa.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/src/uadk_rsa.c b/src/uadk_rsa.c index 1289fd3..c9e2b34 100644 --- a/src/uadk_rsa.c +++ b/src/uadk_rsa.c @@ -1358,7 +1358,7 @@ static void rsa_free_pub_bn_ctx(unsigned char **from_buf) }
static int rsa_create_pri_bn_ctx(RSA *rsa, struct rsa_prikey_param *pri, - unsigned char **from_buf, int *num_bytes) + unsigned char **from_buf, int *num_bytes, int flen) { RSA_get0_key(rsa, &pri->n, &pri->e, &pri->d); if (!(pri->n) || !(pri->e) || !(pri->d)) @@ -1376,6 +1376,9 @@ static int rsa_create_pri_bn_ctx(RSA *rsa, struct rsa_prikey_param *pri, if (!(*num_bytes)) return UADK_E_FAIL;
+ if (flen > *num_bytes) + return UADK_E_FAIL; + *from_buf = OPENSSL_malloc(*num_bytes); if (!(*from_buf)) return -ENOMEM; @@ -1578,8 +1581,8 @@ static int uadk_e_rsa_private_decrypt(int flen, const unsigned char *from, goto free_pkey; }
- ret = rsa_create_pri_bn_ctx(rsa, pri, &from_buf, &num_bytes); - if (ret <= 0 || flen > num_bytes) { + ret = rsa_create_pri_bn_ctx(rsa, pri, &from_buf, &num_bytes, flen); + if (ret <= 0) { ret = UADK_DO_SOFT; goto free_sess; } @@ -1665,8 +1668,8 @@ static int uadk_e_rsa_private_sign(int flen, const unsigned char *from, goto free_pkey; }
- ret = rsa_create_pri_bn_ctx(rsa, pri, &from_buf, &num_bytes); - if (ret <= 0 || flen > num_bytes) { + ret = rsa_create_pri_bn_ctx(rsa, pri, &from_buf, &num_bytes, flen); + if (ret <= 0) { ret = UADK_DO_SOFT; goto free_sess; }