You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In file keystore_ta.c, in functions like TA_configure(), out size is never checked. Before calling TA_serialize_rsp_err(), out size should be sanitized to be large enough.
There are two options:
know before end the size and check the out len
pass the maximum size to the serializers
Note: same comments apply for all command handlers. Everywhere out and sizes should be checked
e.g. TA_generateKey() ...
Description
Category: Buffer Overruns
In file
keystore_ta.c, in functions likeTA_configure(),outsize is never checked. Before callingTA_serialize_rsp_err(),outsize should be sanitized to be large enough.There are two options:
outlenNote: same comments apply for all command handlers. Everywhere
outand sizes should be checkede.g.
TA_generateKey()...Reported by
Netflix (Bastien Simondi)
Patches
km: ta: add end of outbuf as arg to serializers
km: check output buffer size in TA
km: add oob check to TA_serialize_rsp_err()
km: add oob check to TA_serialize_key_blob_akms()
km: add oob check to TA_serialize_characteristics_akms()
km: ta: add output buffer out of bounds check
km: add oob check to TA_serialize_blob_akms()
km: add oob check to TA_serialize_cert_chain_akms()
km: add oob check to TA_serialize_rsa_keypair()
km: add oob check to TA_serialize_ec_keypair()
Workarounds
NA
References
NA
For more information
If you have any questions or comments about this advisory: