diff options
author | Randall Spangler <rspangler@chromium.org> | 2014-09-23 16:30:37 -0700 |
---|---|---|
committer | chrome-internal-fetch <chrome-internal-fetch@google.com> | 2014-11-06 01:16:02 +0000 |
commit | 64e7ac73baeaaa302f1cb4ea44484b087fe7769c (patch) | |
tree | b2f1eb5ad7921795cdb51d62154ae53b4853f7e3 | |
parent | efd6601534d9a47fdad7799a086e573b3d8f2bb7 (diff) | |
download | vboot-64e7ac73baeaaa302f1cb4ea44484b087fe7769c.tar.gz |
vboot2: Fix potential null pointer dereference
If key is null in vb2_verify_digest(), we could attempt to dereference
it. In practice it never is, but for safety's sake we should avoid
the reference.
BUG=chrome-os-partner:32235
BRANCH=none
TEST=VBOOT2=1 make runtests
Change-Id: I5a817e432922ea4c3b439b696cd2f8d988d0fecc
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/219574
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/227876
Tested-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Commit-Queue: Daisuke Nojiri <dnojiri@chromium.org>
-rw-r--r-- | firmware/2lib/2rsa.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/firmware/2lib/2rsa.c b/firmware/2lib/2rsa.c index cc39b1d6..47ef1799 100644 --- a/firmware/2lib/2rsa.c +++ b/firmware/2lib/2rsa.c @@ -313,7 +313,7 @@ int vb2_verify_digest(const struct vb2_public_key *key, { struct vb2_workbuf wblocal = *wb; uint32_t *workbuf32; - uint32_t key_bytes = key->arrsize * sizeof(uint32_t); + uint32_t key_bytes; int pad_size; int rv; @@ -326,6 +326,7 @@ int vb2_verify_digest(const struct vb2_public_key *key, } /* Signature length should be same as key length */ + key_bytes = key->arrsize * sizeof(uint32_t); if (key_bytes != vb2_rsa_sig_size(key->algorithm)) { VB2_DEBUG("Signature is of incorrect length!\n"); return VB2_ERROR_RSA_VERIFY_SIG_LEN; |