Fix dangling freed pointer on error in pkcs7_get_signers_info_set
This fixes a use-after-free in PKCS#7 parsing when the signer data is
malformed.
Credit to OSS-Fuzz (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53798).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/library/pkcs7.c b/library/pkcs7.c
index ca0170a..783aaa2 100644
--- a/library/pkcs7.c
+++ b/library/pkcs7.c
@@ -430,15 +430,16 @@
goto out;
cleanup:
- signer = signers_set->next;
pkcs7_free_signer_info( signers_set );
- while( signer )
+ signer = signers_set->next;
+ while( signer != NULL )
{
prev = signer;
signer = signer->next;
pkcs7_free_signer_info( prev );
mbedtls_free( prev );
}
+ signers_set->next = NULL;
out:
return( ret );
diff --git a/tests/data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der b/tests/data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der
new file mode 100644
index 0000000..ce4fb3b
--- /dev/null
+++ b/tests/data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der
Binary files differ
diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data
index 4f81b6f..5ecfb91 100644
--- a/tests/suites/test_suite_pkcs7.data
+++ b/tests/suites/test_suite_pkcs7.data
@@ -62,6 +62,9 @@
depends_on:MBEDTLS_SHA256_C
pkcs7_parse:"data_files/pkcs7_signerInfo_serial_invalid_size.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO
+pkcs7_get_signers_info_set error handling (6213931373035520)
+pkcs7_parse:"data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
PKCS7 Only Signed Data Parse Pass #15
depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der":MBEDTLS_PKCS7_SIGNED_DATA