fix memory corruption caused by use-after-free

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

diff --git a/ucert.c b/ucert.c
index 7e419d4d8b04700df3b6f06803706f5be3ba6185..49d39e9fa58c226aad93d1d48694609b86145b48 100644 (file)
--- a/ucert.c
+++ b/ucert.c
@@ -156,8 +156,15 @@ static int cert_load(const char *certfile, struct list_head *chain) {
                else
                        pos += blob_pad_len(bufpt);
 
+               if (!certtb[CERT_ATTR_SIGNATURE])
+                       /* no signature -> drop */
+                       break;
+
                cobj = calloc(1, sizeof(*cobj));
-               memcpy(cobj->cert, &certtb, sizeof(certtb));
+               cobj->cert[CERT_ATTR_SIGNATURE] = blob_memdup(certtb[CERT_ATTR_SIGNATURE]);
+               if (certtb[CERT_ATTR_PAYLOAD])
+                       cobj->cert[CERT_ATTR_PAYLOAD] = blob_memdup(certtb[CERT_ATTR_PAYLOAD]);
+
                list_add_tail(&cobj->list, chain);
                ret += pret;
                bufpt = blob_next(bufpt);