iso7816.c: Check length of key_ref_len to prevent buffer overrun

xhanulik · Jakuje · commit 6ceb50e271f4 · 2024-05-31T15:37:40.000+02:00
diff --git a/src/libopensc/iso7816.c b/src/libopensc/iso7816.c
@@ -1021,7 +1021,7 @@ iso7816_set_security_env(struct sc_card *card,
 			*p++ = 0x83;
 		else
 			*p++ = 0x84;
-		if (env->key_ref_len > 0xFF)
+		if (env->key_ref_len > SC_MAX_KEYREF_SIZE)
 			return SC_ERROR_INVALID_ARGUMENTS;
 		*p++ = env->key_ref_len & 0xFF;
 		memcpy(p, env->key_ref, env->key_ref_len);
diff --git a/src/libopensc/opensc.h b/src/libopensc/opensc.h
@@ -251,7 +251,7 @@ typedef struct sc_security_env {
 
 	unsigned long algorithm_ref;
 	struct sc_path file_ref;
-	unsigned char key_ref[8];
+	unsigned char key_ref[SC_MAX_KEYREF_SIZE];
 	size_t key_ref_len;
 	struct sc_path target_file_ref; /* target key file in unwrap operation */
 
diff --git a/src/libopensc/types.h b/src/libopensc/types.h
@@ -50,6 +50,7 @@ typedef unsigned char u8;
 #define SC_MAX_CRTS_IN_SE		12
 #define SC_MAX_SE_NUM			8
 #define SC_MAX_PKCS15_EMULATORS	48
+#define SC_MAX_KEYREF_SIZE		8
 
 /* When changing this value, pay attention to the initialization of the ASN1
  * static variables that use this macro, like, for example,
