@@ -213,62 +213,67 @@ int wolfSSH_CERTMAN_VerifyCerts_buffer(WOLFSSH_CERTMAN* cm,
213213 cm -> heap , DYNTYPE_CERT );
214214 certLen = (word32 * )WMALLOC (certsCount * sizeof (word32 ), cm -> heap ,
215215 DYNTYPE_CERT );
216+ if (certLoc == NULL || certLen == NULL ) {
217+ ret = WS_MEMORY_E ;
218+ }
216219
217- currentPt = (unsigned char * )certs ; /* set initial certificate pointer */
218- currentSz = 0 ;
220+ if (ret == WS_SUCCESS ) {
221+ currentPt = (unsigned char * )certs ; /* set initial certificate pointer */
222+ currentSz = 0 ;
219223
220- for (idx = 0 ; idx < (int )certsCount ; idx ++ ) {
221- word32 sz = 0 ;
222- certLoc [idx ] = currentPt ;
224+ for (idx = 0 ; idx < (int )certsCount ; idx ++ ) {
225+ word32 sz = 0 ;
226+ certLoc [idx ] = currentPt ;
223227
224- /* get the size of the certificate from first sequence */
225- if (currentSz + MAX_SEQ_SZ >= certSz ) {
226- ret = WS_BUFFER_E ;
227- break ;
228- }
229- else {
230- /* at this point there is at least 5 bytes in currentPt */
231- if (currentPt [sz ] != (ASN_SEQUENCE | ASN_CONSTRUCTED )) {
232- WLOG (WS_LOG_CERTMAN , "no cert sequence to get length from" );
233- ret = ASN_PARSE_E ;
228+ /* get the size of the certificate from first sequence */
229+ if (currentSz + MAX_SEQ_SZ >= certSz ) {
230+ ret = WS_BUFFER_E ;
234231 break ;
235232 }
236- sz ++ ;
237-
238- if (ret == WS_SUCCESS ) {
239- if (currentPt [sz ] >= ASN_LONG_LENGTH ) {
240- word32 bytes = currentPt [sz ++ ] & 0x7F ;
241- if (bytes > MAX_LENGTH_SZ ) {
242- WLOG (WS_LOG_CERTMAN , "length found is too large!" );
243- ret = ASN_PARSE_E ;
244- break ;
233+ else {
234+ /* at this point there is at least 5 bytes in currentPt */
235+ if (currentPt [sz ] != (ASN_SEQUENCE | ASN_CONSTRUCTED )) {
236+ WLOG (WS_LOG_CERTMAN , "no cert sequence to get length from" );
237+ ret = ASN_PARSE_E ;
238+ break ;
239+ }
240+ sz ++ ;
241+
242+ if (ret == WS_SUCCESS ) {
243+ if (currentPt [sz ] >= ASN_LONG_LENGTH ) {
244+ word32 bytes = currentPt [sz ++ ] & 0x7F ;
245+ if (bytes > MAX_LENGTH_SZ ) {
246+ WLOG (WS_LOG_CERTMAN , "length found is too large!" );
247+ ret = ASN_PARSE_E ;
248+ break ;
249+ }
250+ else {
251+ byte b ;
252+ certLen [idx ] = 0 ;
253+ for (; bytes > 0 ; bytes -- ) {
254+ b = currentPt [sz ++ ];
255+ certLen [idx ] = (certLen [idx ] << 8 ) | b ;
256+ }
257+ }
245258 }
246259 else {
247- byte b ;
248- certLen [idx ] = 0 ;
249- for (; bytes > 0 ; bytes -- ) {
250- b = currentPt [sz ++ ];
251- certLen [idx ] = (certLen [idx ] << 8 ) | b ;
252- }
260+ certLen [idx ] = (word32 )currentPt [sz ++ ];
253261 }
262+ sz += certLen [idx ];
263+ certLen [idx ] = sz ; /* update size to contain sequence */
254264 }
255- else {
256- certLen [idx ] = (word32 )currentPt [sz ++ ];
257- }
258- sz += certLen [idx ];
259- certLen [idx ] = sz ; /* update size to contain first sequence */
260265 }
261- }
262266
263- /* advance current pointer and update current total size */
264- if (ret == WS_SUCCESS ) {
265- if (currentSz + sz > certSz ) {
266- WLOG (WS_LOG_CERTMAN , "cert found is too large!" );
267- ret = ASN_PARSE_E ;
268- break ;
267+ /* advance current pointer and update current total size */
268+ if (ret == WS_SUCCESS ) {
269+ if (currentSz + sz > certSz ) {
270+ WLOG (WS_LOG_CERTMAN , "cert found is too large!" );
271+ ret = ASN_PARSE_E ;
272+ break ;
273+ }
274+ currentSz += sz ;
275+ currentPt += sz ;
269276 }
270- currentSz += sz ;
271- currentPt += sz ;
272277 }
273278 }
274279
@@ -356,6 +361,10 @@ int wolfSSH_CERTMAN_VerifyCerts_buffer(WOLFSSH_CERTMAN* cm,
356361 }
357362#endif /* WOLFSSH_NO_FPKI */
358363
364+ if (certLoc != NULL )
365+ WFREE (certLoc , cm -> heap , DYNTYPE_CERT );
366+ if (certLen != NULL )
367+ WFREE (certLen , cm -> heap , DYNTYPE_CERT );
359368 WLOG_LEAVE (ret );
360369 return ret ;
361370}
0 commit comments