From 58269c35ef0feac86a4cf222a476fa0839aaf335 Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Fri, 8 Jun 2018 01:15:26 +0200 Subject: [PATCH] fix memory corruption caused by use-after-free Signed-off-by: Daniel Golle This work was sponsored by WIO (wiowireless.com) --- ucert.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/ucert.c b/ucert.c index 7e419d4..49d39e9 100644 --- a/ucert.c +++ b/ucert.c @@ -156,8 +156,15 @@ static int cert_load(const char *certfile, struct list_head *chain) { else pos += blob_pad_len(bufpt); + if (!certtb[CERT_ATTR_SIGNATURE]) + /* no signature -> drop */ + break; + cobj = calloc(1, sizeof(*cobj)); - memcpy(cobj->cert, &certtb, sizeof(certtb)); + cobj->cert[CERT_ATTR_SIGNATURE] = blob_memdup(certtb[CERT_ATTR_SIGNATURE]); + if (certtb[CERT_ATTR_PAYLOAD]) + cobj->cert[CERT_ATTR_PAYLOAD] = blob_memdup(certtb[CERT_ATTR_PAYLOAD]); + list_add_tail(&cobj->list, chain); ret += pret; bufpt = blob_next(bufpt); -- 2.25.1