PKCS#1: Do not use pointer value after freeing

The check for extra data was not dereferencing the pointer, but avoid
complaints about such uses by freeing the decrypted data only after the
check. The hexdump could have read freed memory, so that needs to be
before the freeing.

Fixes: 54ac6ff8c4 ("PKCS 1: Add function for checking v1.5 RSA signature")
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2023-12-17 12:10:13 +02:00
parent 231d86ef91
commit 33b5fc0763

View file

@ -322,8 +322,6 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
return -1; return -1;
} }
os_free(decrypted);
if (hdr.payload + hdr.length != decrypted + decrypted_len) { if (hdr.payload + hdr.length != decrypted + decrypted_len) {
wpa_printf(MSG_INFO, wpa_printf(MSG_INFO,
"PKCS #1: Extra data after signature - reject"); "PKCS #1: Extra data after signature - reject");
@ -332,8 +330,12 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
hdr.payload + hdr.length, hdr.payload + hdr.length,
decrypted + decrypted_len - hdr.payload - decrypted + decrypted_len - hdr.payload -
hdr.length); hdr.length);
os_free(decrypted);
return -1; return -1;
} }
os_free(decrypted);
return 0; return 0;
} }