[opensc-devel] PKCS#11 and check parameters for NULL_PTR

Tue, 08 Dec 2009 00:28:03 -0800 

Hello,
I propose a patch for PKCS#11

Fix: any of these calls
C_CreateObject(hSession, NULL_PTR, 1, NULL_PTR);
C_GetAttributeValue(hSession, hObject, NULL_PTR, 1);
C_SetAttributeValue(hSession, hObject, NULL_PTR, 1);
C_FindObjectsInit(hSession, NULL_PTR, 1);
C_FindObjects(hSession, NULL_PTR, 0, NULL_PTR);
C_FindObjects(hSession, NULL_PTR, 1, NULL_PTR);
C_FindObjects(hSession, NULL_PTR, 1, pulObjectCount);
C_DigestInit(hSession, NULL_PTR);
C_SignInit(hSession, NULL_PTR, hKey);
C_SignRecoverInit(hSession, NULL_PTR, hKey);
C_DecryptInit(hSession, NULL_PTR, hKey);
C_VerifyInit(hSession, NULL_PTR, hKey);
C_GenerateKeyPair(hSession, NULL_PTR, pubKeyTmpl, arraysize(pubKeyTmpl), prvKeyTmpl, arraysize(prvKeyTmpl), &hPubKey, &hPrvKey); C_GenerateKeyPair(hSession, pMechanism, pubKeyTmpl, arraysize(pubKeyTmpl), NULL_PTR, 1, &hPubKey, &hPrvKey); C_GenerateKeyPair(hSession, pMechanism, NULL_PTR, 1, prvKeyTmpl, arraysize(prvKeyTmpl), &hPubKey, &hPrvKey); 
=>
Segmentation fault

Any idea?

Index: src/pkcs11/pkcs11-object.c
===================================================================
--- src/pkcs11/pkcs11-object.c  (revision 3885)
+++ src/pkcs11/pkcs11-object.c  (working copy)
@@ -40,6 +40,11 @@
        rv = sc_pkcs11_lock();
        if (rv != CKR_OK)
                return rv;
+
+       if (pTemplate == NULL_PTR && ulCount > 0) {
+               rv = CKR_ARGUMENTS_BAD;
+               goto out;
+       }
        dump_template("C_CreateObject()", pTemplate, ulCount);
 
        rv = pool_find(&session_pool, hSession, (void**) &session);
@@ -129,6 +134,11 @@
        if (rv != CKR_OK)
                return rv;
 
+       if (pTemplate == NULL_PTR || ulCount == 0) {
+               rv = CKR_ARGUMENTS_BAD;
+               goto out;
+       }
+
        rv = pool_find(&session_pool, hSession, (void**) &session);
        if (rv != CKR_OK)
                goto out;
@@ -187,6 +197,10 @@
        if (rv != CKR_OK)
                return rv;
 
+       if (pTemplate == NULL_PTR || ulCount == 0) {
+               rv = CKR_ARGUMENTS_BAD;
+               goto out;
+       }
        dump_template("C_SetAttributeValue", pTemplate, ulCount);
 
        rv = pool_find(&session_pool, hSession, (void**) &session);
@@ -230,6 +244,11 @@
        if (rv != CKR_OK)
                return rv;
 
+       if (pTemplate == NULL_PTR && ulCount > 0) {
+               rv = CKR_ARGUMENTS_BAD;
+               goto out;
+       }
+
        rv = pool_find(&session_pool, hSession, (void**) &session);
        if (rv != CKR_OK)
                goto out;
@@ -324,6 +343,11 @@
        if (rv != CKR_OK)
                return rv;
 
+       if (phObject == NULL_PTR || ulMaxObjectCount == 0 || pulObjectCount == 
NULL_PTR) {
+               rv = CKR_ARGUMENTS_BAD;
+               goto out;
+       }
+
        rv = pool_find(&session_pool, hSession, (void**) &session);
        if (rv != CKR_OK)
                goto out;
@@ -385,12 +409,17 @@
        if (rv != CKR_OK)
                return rv;
 
+       if (pMechanism == NULL_PTR) {
+               rv = CKR_ARGUMENTS_BAD;
+               goto out;
+       }
+
        rv = pool_find(&session_pool, hSession, (void**) &session);
        if (rv == CKR_OK)
                rv = sc_pkcs11_md_init(session, pMechanism);
        sc_debug(context, "C_DigestInit returns %d\n", rv);
 
-       sc_pkcs11_unlock();
+out:   sc_pkcs11_unlock();
        return rv;
 }
 
@@ -483,6 +512,11 @@
        if (rv != CKR_OK)
                return rv;
 
+       if (pMechanism == NULL_PTR) {
+               rv = CKR_ARGUMENTS_BAD;
+               goto out;
+       }
+
        rv = pool_find(&session_pool, hSession, (void**) &session);
        if (rv != CKR_OK)
                goto out;
@@ -632,6 +666,11 @@
        if (rv != CKR_OK)
                return rv;
 
+       if (pMechanism == NULL_PTR) {
+               rv = CKR_ARGUMENTS_BAD;
+               goto out;
+       }
+
        rv = pool_find(&session_pool, hSession, (void**) &session);
        if (rv != CKR_OK)
                goto out;
@@ -727,6 +766,11 @@
        if (rv != CKR_OK)
                return rv;
 
+       if (pMechanism == NULL_PTR) {
+               rv = CKR_ARGUMENTS_BAD;
+               goto out;
+       }
+
        rv = pool_find(&session_pool, hSession, (void**) &session);
        if (rv != CKR_OK)
                goto out;
@@ -864,6 +908,12 @@
        rv = sc_pkcs11_lock();
        if (rv != CKR_OK)
                return rv;
+       if (pMechanism == NULL_PTR
+                       || (pPublicKeyTemplate == NULL_PTR && 
ulPublicKeyAttributeCount > 0)
+                       || (pPrivateKeyTemplate == NULL_PTR && 
ulPrivateKeyAttributeCount > 0)) {
+               rv = CKR_ARGUMENTS_BAD;
+               goto out;
+       }
        dump_template("C_CreateObject(), PrivKey attrs", pPrivateKeyTemplate, 
ulPrivateKeyAttributeCount);
        dump_template("C_CreateObject(), PubKey attrs", pPublicKeyTemplate, 
ulPublicKeyAttributeCount);
 
@@ -912,6 +962,11 @@
        if (rv != CKR_OK)
                return rv;
 
+       if (pMechanism == NULL_PTR || (pTemplate == NULL_PTR && 
ulAttributeCount > 0)) {
+               rv = CKR_ARGUMENTS_BAD;
+               goto out;
+       }
+
        rv = pool_find(&session_pool, hSession, (void**) &session);
        if (rv != CKR_OK)
                goto out;
@@ -1036,6 +1091,11 @@
        if (rv != CKR_OK)
                return rv;
 
+       if (pMechanism == NULL_PTR) {
+               rv = CKR_ARGUMENTS_BAD;
+               goto out;
+       }
+
        rv = pool_find(&session_pool, hSession, (void**) &session);
        if (rv != CKR_OK)
                goto out;

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to