PKCS#1: Do not use pointer value after freeing
The check for extra data was not dereferencing the pointer, but avoid
complaints about such uses by freeing the decrypted data only after the
check. The hexdump could have read freed memory, so that needs to be
before the freeing.
Fixes: 54ac6ff8c4
("PKCS 1: Add function for checking v1.5 RSA signature")
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
231d86ef91
commit
33b5fc0763
1 changed files with 4 additions and 2 deletions
|
@ -322,8 +322,6 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
os_free(decrypted);
|
|
||||||
|
|
||||||
if (hdr.payload + hdr.length != decrypted + decrypted_len) {
|
if (hdr.payload + hdr.length != decrypted + decrypted_len) {
|
||||||
wpa_printf(MSG_INFO,
|
wpa_printf(MSG_INFO,
|
||||||
"PKCS #1: Extra data after signature - reject");
|
"PKCS #1: Extra data after signature - reject");
|
||||||
|
@ -332,8 +330,12 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
|
||||||
hdr.payload + hdr.length,
|
hdr.payload + hdr.length,
|
||||||
decrypted + decrypted_len - hdr.payload -
|
decrypted + decrypted_len - hdr.payload -
|
||||||
hdr.length);
|
hdr.length);
|
||||||
|
|
||||||
|
os_free(decrypted);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
os_free(decrypted);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue