Skip to content

Commit b75c002

Browse files
Jakujefrankmorgner
authored andcommitted
cac1: Correctly handle the buffer limits
Found by oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18618 and others
1 parent bfa8415 commit b75c002

File tree

1 file changed

+8
-6
lines changed

1 file changed

+8
-6
lines changed

Diff for: src/libopensc/card-cac1.c

+8-6
Original file line numberDiff line numberDiff line change
@@ -69,17 +69,16 @@ static int cac_cac1_get_certificate(sc_card_t *card, u8 **out_buf, size_t *out_l
6969
u8 *out_ptr;
7070
size_t size = 0;
7171
size_t left = 0;
72-
size_t len, next_len;
72+
size_t len;
7373
sc_apdu_t apdu;
7474
int r = SC_SUCCESS;
7575
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
7676
/* get the size */
7777
size = left = *out_buf ? *out_len : sizeof(buf);
7878
out_ptr = *out_buf ? *out_buf : buf;
7979
sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, CAC_INS_GET_CERTIFICATE, 0, 0 );
80-
next_len = MIN(left, 100);
81-
for (; left > 0; left -= len, out_ptr += len) {
82-
len = next_len;
80+
len = MIN(left, 100);
81+
for (; left > 0;) { /* Increments for readability in the end of the function */
8382
apdu.resp = out_ptr;
8483
apdu.le = len;
8584
apdu.resplen = left;
@@ -98,7 +97,10 @@ static int cac_cac1_get_certificate(sc_card_t *card, u8 **out_buf, size_t *out_l
9897
left -= len;
9998
break;
10099
}
101-
next_len = MIN(left, apdu.sw2);
100+
/* Adjust the lengths */
101+
left -= len;
102+
out_ptr += len;
103+
len = MIN(left, apdu.sw2);
102104
}
103105
if (r < 0) {
104106
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, r);
@@ -128,7 +130,7 @@ static int cac_read_binary(sc_card_t *card, unsigned int idx,
128130
int r = 0;
129131
u8 *val = NULL;
130132
u8 *cert_ptr;
131-
size_t val_len;
133+
size_t val_len = 0;
132134
size_t len, cert_len;
133135
u8 cert_type;
134136

0 commit comments

Comments
 (0)