iso7816.c: Check length of key_ref_len to prevent buffer overrun

OpenSC · May 31, 2024 · 6ceb50e · 6ceb50e
1 parent 6923b97
commit 6ceb50e
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 2 deletions.
diff --git a/src/libopensc/iso7816.c b/src/libopensc/iso7816.c
@@ -1021,7 +1021,7 @@ iso7816_set_security_env(struct sc_card *card,
  *p++ = 0x83;
  else
  *p++ = 0x84;
- if (env->key_ref_len > 0xFF)
+ if (env->key_ref_len > SC_MAX_KEYREF_SIZE)
  return SC_ERROR_INVALID_ARGUMENTS;
  *p++ = env->key_ref_len & 0xFF;
  memcpy(p, env->key_ref, env->key_ref_len);

diff --git a/src/libopensc/opensc.h b/src/libopensc/opensc.h
@@ -251,7 +251,7 @@ typedef struct sc_security_env {
 
  unsigned long algorithm_ref;
  struct sc_path file_ref;
- unsigned char key_ref[8];
+ unsigned char key_ref[SC_MAX_KEYREF_SIZE];
  size_t key_ref_len;
  struct sc_path target_file_ref; /* target key file in unwrap operation */
 

diff --git a/src/libopensc/types.h b/src/libopensc/types.h
@@ -50,6 +50,7 @@ typedef unsigned char u8;
 #define SC_MAX_CRTS_IN_SE 12
 #define SC_MAX_SE_NUM 8
 #define SC_MAX_PKCS15_EMULATORS 48
+#define SC_MAX_KEYREF_SIZE 8
 
 /* When changing this value, pay attention to the initialization of the ASN1
  * static variables that use this macro, like, for example,