Description
Category: Integer Overflow
In TA_deserialize_auth_set(). param_set->length is derived from the REE. Due to integer overflow, the result of this allocation could be very small even if the param_set->length is big. The result is having a small memory block returned from the malloc() function, while the code expect much more. This needs to be fixed.
So make sure there's no overflow when allocating memory for the number of key params required for it.
Reported by
Netflix (Bastien Simondi)
Patches
km: ta: add multiplication overflow check
km: ta: use arithmetic ops with overflow detection
Workarounds
NA
References
NA
For more information
If you have any questions or comments about this advisory:
Description
Category: Integer Overflow
In TA_deserialize_auth_set(). param_set->length is derived from the REE. Due to integer overflow, the result of this allocation could be very small even if the param_set->length is big. The result is having a small memory block returned from the malloc() function, while the code expect much more. This needs to be fixed.
So make sure there's no overflow when allocating memory for the number of key params required for it.
Reported by
Netflix (Bastien Simondi)
Patches
km: ta: add multiplication overflow check
km: ta: use arithmetic ops with overflow detection
Workarounds
NA
References
NA
For more information
If you have any questions or comments about this advisory: