pk_wrap: nullify the signature pointer on error in extract_ecdsa_sig

Fix a double free error in ecdsa_verify_wrap
This commit is contained in:
Andrzej Kurek 2018-11-07 03:19:08 -05:00
parent 1e3b6865d7
commit 6d49ae9223

View file

@ -576,10 +576,11 @@ static int extract_ecdsa_sig( unsigned char **p, const unsigned char *end,
memcpy( sig->p, *p, len_partial ); memcpy( sig->p, *p, len_partial );
len_signature = len_partial; len_signature = len_partial;
( *p ) += len_partial; ( *p ) += len_partial;
if( ( ret = mbedtls_asn1_get_tag( p, end, &len_partial, MBEDTLS_ASN1_INTEGER ) ) if( ( ret = mbedtls_asn1_get_tag( p, end, &len_partial,
!= 0 ) MBEDTLS_ASN1_INTEGER ) ) != 0 )
{ {
mbedtls_free( sig->p ); mbedtls_free( sig->p );
sig->p = NULL;
return( ret ); return( ret );
} }
@ -684,10 +685,7 @@ static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
psa_type = PSA_KEY_TYPE_ECC_PUBLIC_KEY( curve ); psa_type = PSA_KEY_TYPE_ECC_PUBLIC_KEY( curve );
if( extract_ecdsa_sig( &p, p + sig_len, &signature ) != 0 ) if( extract_ecdsa_sig( &p, p + sig_len, &signature ) != 0 )
{ return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
goto cleanup;
}
key_len = mbedtls_pk_write_pubkey_der( &key, buf, buf_len ); key_len = mbedtls_pk_write_pubkey_der( &key, buf, buf_len );
if( key_len <= 0 ) if( key_len <= 0 )