[PATCH] Add error handling when verifying CMS signers
9 views
Skip to first unread message
David Gstir
Jan 29, 2026, 11:36:57 AM (3 days ago) Jan 29
to swup...@googlegroups.com, upstream...@sigma-star.at
OpenSSL's CMS_get0_SignerInfos(...) and CMS_get1_certs(...) can fail
even after we've called CMS_verify(...) successfully. Be sure to check
their return values to avoid memory corruptions in the rare instances
where this happens.
Signed-off-by: David Gstir <da...@sigma-star.at>
---
crypto/swupdate_cms_verify_openssl.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/crypto/swupdate_cms_verify_openssl.c b/crypto/swupdate_cms_verify_openssl.c
index 849152d1..5a5e5490 100644
--- a/crypto/swupdate_cms_verify_openssl.c
+++ b/crypto/swupdate_cms_verify_openssl.c
@@ -237,6 +237,11 @@ static int check_verified_signer(CMS_ContentInfo* cms, X509_STORE* store)
return ret;
}
+ if (infos == NULL || cms_certs == NULL) {
+ ERROR("Invalid CMS signed data payload");
+ return ret;
+ }
+
for (i = 0; i < sk_CMS_SignerInfo_num(infos) && ret != 0; ++i) {
CMS_SignerInfo *si = sk_CMS_SignerInfo_value(infos, i);
X509 *signer = NULL;
--
2.51.0
even after we've called CMS_verify(...) successfully. Be sure to check
their return values to avoid memory corruptions in the rare instances
where this happens.
Signed-off-by: David Gstir <da...@sigma-star.at>
---
crypto/swupdate_cms_verify_openssl.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/crypto/swupdate_cms_verify_openssl.c b/crypto/swupdate_cms_verify_openssl.c
index 849152d1..5a5e5490 100644
--- a/crypto/swupdate_cms_verify_openssl.c
+++ b/crypto/swupdate_cms_verify_openssl.c
@@ -237,6 +237,11 @@ static int check_verified_signer(CMS_ContentInfo* cms, X509_STORE* store)
return ret;
}
+ if (infos == NULL || cms_certs == NULL) {
+ ERROR("Invalid CMS signed data payload");
+ return ret;
+ }
+
for (i = 0; i < sk_CMS_SignerInfo_num(infos) && ret != 0; ++i) {
CMS_SignerInfo *si = sk_CMS_SignerInfo_value(infos, i);
X509 *signer = NULL;
--
2.51.0
Reply all
Reply to author
Forward
0 new messages