commit 996deb18cca397d5be2728bde8fd27e57ea11052
author Gilles Peskine <Gilles.Peskine@arm.com> Wed Aug 01 15:45:45 2018 +0200
committer Jaeden Amero <jaeden.amero@arm.com> Fri Sep 14 10:02:29 2018 +0100
tree d8ece029b1a266683a831eb7de795040a9657728
parent 4fddbe36fe968ccfc9c6f246d2369470f3046df9

Fix buffer overflow in the slot array

Slots are numbered from 1, but the slot array is a C array so it's
numbered from 0.

Add a non-regression test.

library/psa_crypto.c

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 210fa5f..fe30729 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -82,6 +82,8 @@
 
 
 
+#define ARRAY_LENGTH( array ) ( sizeof( array ) / sizeof( *( array ) ) )
+
 /* Implementation that should never be optimized out by the compiler */
 static void mbedtls_zeroize( void *v, size_t n )
 {
@@ -343,10 +345,13 @@
 static psa_status_t psa_get_key_slot( psa_key_slot_t key,
                                       key_slot_t **p_slot )
 {
-    if( key == 0 || key > PSA_KEY_SLOT_COUNT )
+    /* 0 is not a valid slot number under any circumstance. This
+     * implementation provides slots number 1 to N where N is the
+     * number of available slots. */
+    if( key == 0 || key > ARRAY_LENGTH( global_data.key_slots ) )
         return( PSA_ERROR_INVALID_ARGUMENT );
 
-    *p_slot = &global_data.key_slots[key];
+    *p_slot = &global_data.key_slots[key - 1];
     return( PSA_SUCCESS );
 }