From f753e569117f8e15a036e69f67246c4af3e6a6ce Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Thu, 14 Mar 2024 12:16:29 +0100 Subject: [PATCH] rpc: check value length before reading the value Signed-off-by: Zoltan Fridrich --- p11-kit/rpc-message.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c index 769c7d82..ea902553 100644 --- a/p11-kit/rpc-message.c +++ b/p11-kit/rpc-message.c @@ -1333,6 +1333,7 @@ p11_rpc_message_get_attribute (p11_rpc_message *msg, { uint32_t type, length; CK_ULONG decode_length; + size_t saved_offset; unsigned char validity; p11_rpc_attribute_serializer *serializer; p11_rpc_value_type value_type; @@ -1364,15 +1365,26 @@ p11_rpc_message_get_attribute (p11_rpc_message *msg, return false; } - /* Decode the attribute value */ value_type = map_attribute_to_value_type (type); assert (value_type < ELEMS (p11_rpc_attribute_serializers)); serializer = &p11_rpc_attribute_serializers[value_type]; assert (serializer != NULL); - if (!serializer->decode (msg, buffer, offset, attr->pValue, &decode_length)) - return false; - if (attr->pValue == NULL && length != 0 && decode_length > length) + + /* Get the attribute value length */ + saved_offset = *offset; + if (!serializer->decode (NULL, buffer, offset, NULL, &decode_length)) return false; + + /* Decode the attribute value */ + if (attr->pValue != NULL) { + if (length < decode_length) + return false; + + *offset = saved_offset; + if (!serializer->decode (msg, buffer, offset, attr->pValue, NULL)) + return false; + } + attr->type = type; attr->ulValueLen = length; return true;