TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls.git / d74c6970352e1c1bbdd02fb55de8293098c88af5^! / .
commitd74c6970352e1c1bbdd02fb55de8293098c88af5[log] [tgz]
authorManuel Pégourié-Gonnard <mpg2@elzevir.fr>Thu Aug 27 21:39:40 2015 +0200
committerManuel Pégourié-Gonnard <mpg2@elzevir.fr>Mon Aug 31 10:34:27 2015 +0200
tree5786b7db39397ea83117251318cc016fc2f487bb
parent8b2641d36fa7f3ff5347196933715d23b668d762 [diff]
Fix memory corruption in rsa sign/verify programs

We have no guarantee there is enough room in the argv strings.

Fixes #210

diff --git a/ChangeLog b/ChangeLog
index d2bd81e..4c600e3 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -35,6 +35,7 @@
      Aleksandrs Saveljevs) (#238)
    * Fix unused function warning when using MBEDTLS_MDx_ALT or
      MBEDTLS_SHAxxx_ALT (found by Henrik) (#239)
+   * Fix memory corruption in pkey programs (found by yankuncheng) (#210)
 
 Changes
    * The PEM parser now accepts a trailing space at end of lines (#226).

diff --git a/programs/pkey/rsa_sign.c b/programs/pkey/rsa_sign.c
index d86fe3a..3ff411a 100644
--- a/programs/pkey/rsa_sign.c
+++ b/programs/pkey/rsa_sign.c

@@ -32,6 +32,7 @@
 #include <stdio.h>
 #define mbedtls_fprintf    fprintf
 #define mbedtls_printf     printf
+#define mbedtls_snprintf   snprintf
 #endif
 
 #if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) ||  \
@@ -60,6 +61,7 @@
     mbedtls_rsa_context rsa;
     unsigned char hash[20];
     unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+    char filename[512];
 
     ret = 1;
 
@@ -135,11 +137,11 @@
     }
 
     /*
-     * Write the signature into <filename>-sig.txt
+     * Write the signature into <filename>.sig
      */
-    memcpy( argv[1] + strlen( argv[1] ), ".sig", 5 );
+    mbedtls_snprintf( filename, sizeof(filename), "%s.sig", argv[1] );
 
-    if( ( f = fopen( argv[1], "wb+" ) ) == NULL )
+    if( ( f = fopen( filename, "wb+" ) ) == NULL )
     {
         ret = 1;
         mbedtls_printf( " failed\n  ! Could not create %s\n\n", argv[1] );
@@ -152,7 +154,7 @@
 
     fclose( f );
 
-    mbedtls_printf( "\n  . Done (created \"%s\")\n\n", argv[1] );
+    mbedtls_printf( "\n  . Done (created \"%s\")\n\n", filename );
 
 exit:
 

diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c
index fefc6e0..63cc17c 100644
--- a/programs/pkey/rsa_verify.c
+++ b/programs/pkey/rsa_verify.c

@@ -31,6 +31,7 @@
 #else
 #include <stdio.h>
 #define mbedtls_printf     printf
+#define mbedtls_snprintf   snprintf
 #endif
 
 #if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) ||  \
@@ -59,6 +60,7 @@
     mbedtls_rsa_context rsa;
     unsigned char hash[20];
     unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+    char filename[512];
 
     ret = 1;
     if( argc != 2 )
@@ -99,17 +101,15 @@
      * Extract the RSA signature from the text file
      */
     ret = 1;
-    i = strlen( argv[1] );
-    memcpy( argv[1] + i, ".sig", 5 );
+    mbedtls_snprintf( filename, sizeof(filename), "%s.sig", argv[1] );
 
-    if( ( f = fopen( argv[1], "rb" ) ) == NULL )
+    if( ( f = fopen( filename, "rb" ) ) == NULL )
     {
-        mbedtls_printf( "\n  ! Could not open %s\n\n", argv[1] );
+        mbedtls_printf( "\n  ! Could not open %s\n\n", filename );
         goto exit;
     }
 
-    argv[1][i] = '\0', i = 0;
-
+    i = 0;
     while( fscanf( f, "%02X", &c ) > 0 &&
            i < (int) sizeof( buf ) )
         buf[i++] = (unsigned char) c;