Merge pull request #7 from bellgrim/OPENDNSSEC-537

OPENDNSSEC-537: libhsm: Possible memory corruption in hsm_get_slot_id.

NEWS

@@ -6,8 +6,10 @@ Bugfixes:
 * OPENDNSSEC-481: libhsm: Fix an off-by-one length check error.
 * OPENDNSSEC-482: libhsm: Improved cleanup for C_FindObjects.
 * OPENDNSSEC-515: Signer Engine: Don't replace tabs in RRs with whitespace.
+* OPENDNSSEC-537: libhsm: Possible memory corruption in hsm_get_slot_id.
 * SUPPORT-86: Fixed build on OS X [OPENDNSSEC-512]
 
+
 OpenDNSSEC 1.4.3 - 2013-12-04
 
 * SUPPORT-72: Improve logging when failed to increment serial in case 

libhsm/src/lib/libhsm.c

@@ -397,9 +397,19 @@ hsm_get_slot_id(hsm_ctx_t *ctx,
         hsm_ctx_set_error(ctx, HSM_ERROR, "hsm_get_slot_id()",
                           "No slots found in HSM");
         return HSM_ERROR;
+    } else if (slotCount > (SIZE_MAX / sizeof(CK_SLOT_ID))) {
+        hsm_ctx_set_error(ctx, HSM_ERROR, "hsm_get_slot_id()",
+                          "Too many slots found in HSM");
+        return HSM_ERROR;
     }
 
     slotIds = malloc(sizeof(CK_SLOT_ID) * slotCount);
+    if(slotIds == NULL) {
+        hsm_ctx_set_error(ctx, HSM_ERROR, "hsm_get_slot_id()",
+                          "Could not allocate slot ID table");
+        return HSM_ERROR;
+    }
+
     rv = pkcs11_functions->C_GetSlotList(CK_TRUE, slotIds, &slotCount);
     if (hsm_pkcs11_check_error(ctx, rv, "get slot list")) {
         return HSM_ERROR;