From 290f01b3f54a16045be201699becda8f500eebd5 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Sun, 27 Nov 2022 21:28:31 +0100
Subject: [PATCH] Fix dangling freed pointer on error in
 pkcs7_get_signers_info_set

This fixes a use-after-free in PKCS#7 parsing when the signer data is
malformed.

Credit to OSS-Fuzz (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53798).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 library/pkcs7.c                                   |   5 +++--
 ...t-missing_free-fuzz_pkcs7-6213931373035520.der | Bin 0 -> 108 bytes
 tests/suites/test_suite_pkcs7.data                |   3 +++
 3 files changed, 6 insertions(+), 2 deletions(-)
 create mode 100644 tests/data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der

diff --git a/library/pkcs7.c b/library/pkcs7.c
index ca0170a6d..783aaa288 100644
--- a/library/pkcs7.c
+++ b/library/pkcs7.c
@@ -430,15 +430,16 @@ static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end,
     goto out;
 
 cleanup:
-    signer = signers_set->next;
     pkcs7_free_signer_info( signers_set );
-    while( signer )
+    signer = signers_set->next;
+    while( signer != NULL )
     {
         prev = signer;
         signer = signer->next;
         pkcs7_free_signer_info( prev );
         mbedtls_free( prev );
     }
+    signers_set->next = NULL;
 
 out:
     return( ret );
diff --git a/tests/data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der b/tests/data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der
new file mode 100644
index 0000000000000000000000000000000000000000..ce4fb3bd49fdaf0ccd10069af549eb55ec9554fe
GIT binary patch
literal 108
zcmXrWVq#=8<Tl`BW7Sq+W@2PuFi>FQ)N1o+`_9YA&S>avAPZDrz-_=`$Y#L8#=y+L
V!~mq36ch}Y*cezC2uLd+0|0Qt3R(aF

literal 0
HcmV?d00001

diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data
index 4f81b6f28..5ecfb9111 100644
--- a/tests/suites/test_suite_pkcs7.data
+++ b/tests/suites/test_suite_pkcs7.data
@@ -62,6 +62,9 @@ PKCS7 Signed Data Parse Failure Corrupt signerInfo.serial #15.2
 depends_on:MBEDTLS_SHA256_C
 pkcs7_parse:"data_files/pkcs7_signerInfo_serial_invalid_size.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO
 
+pkcs7_get_signers_info_set error handling (6213931373035520)
+pkcs7_parse:"data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
 PKCS7 Only Signed Data Parse Pass #15
 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
 pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der":MBEDTLS_PKCS7_SIGNED_DATA