From 58269c35ef0feac86a4cf222a476fa0839aaf335 Mon Sep 17 00:00:00 2001
From: Daniel Golle <daniel@makrotopia.org>
Date: Fri, 8 Jun 2018 01:15:26 +0200
Subject: [PATCH] fix memory corruption caused by use-after-free

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
---
 ucert.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/ucert.c b/ucert.c
index 7e419d4..49d39e9 100644
--- a/ucert.c
+++ b/ucert.c
@@ -156,8 +156,15 @@ static int cert_load(const char *certfile, struct list_head *chain) {
 		else
 			pos += blob_pad_len(bufpt);
 
+		if (!certtb[CERT_ATTR_SIGNATURE])
+			/* no signature -> drop */
+			break;
+
 		cobj = calloc(1, sizeof(*cobj));
-		memcpy(cobj->cert, &certtb, sizeof(certtb));
+		cobj->cert[CERT_ATTR_SIGNATURE] = blob_memdup(certtb[CERT_ATTR_SIGNATURE]);
+		if (certtb[CERT_ATTR_PAYLOAD])
+			cobj->cert[CERT_ATTR_PAYLOAD] = blob_memdup(certtb[CERT_ATTR_PAYLOAD]);
+
 		list_add_tail(&cobj->list, chain);
 		ret += pret;
 		bufpt = blob_next(bufpt);
-- 
2.25.1