Skip to content

Commit 343568e

Browse files
FrauschiFrauschi
committed
Fix potential DMA buffer handling errors
For DMA buffer cleanup using wh_Client_DmaProcessClientAddress(), the size of the buffer is required. In many places, the size stored in the request message is used during the cleanup call. However, the request is overwritten when reading the response from the server, potentially overwriting the stored size parameters. When the size passed to the cleanup is incorrectly overwritten with zero, the method is exited early, potentially causing a memory leak.
1 parent 4e1a7d4 commit 343568e

1 file changed

Lines changed: 22 additions & 21 deletions

File tree

src/wh_client_crypto.c

Lines changed: 22 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -2495,8 +2495,9 @@ int wh_Client_Ed25519SignDma(whClientContext* ctx, ed25519_key* key,
24952495
uintptr_t msgAddr = 0;
24962496
uintptr_t sigAddr = 0;
24972497

2498-
whKeyId key_id = WH_DEVCTX_TO_KEYID(key->devCtx);
2499-
int evict = 0;
2498+
whKeyId key_id = WH_DEVCTX_TO_KEYID(key->devCtx);
2499+
int evict = 0;
2500+
uint32_t inSigLen = (inout_sig_len != NULL) ? *inout_sig_len : 0;
25002501

25012502
if ((ctx == NULL) || (key == NULL) || ((msg == NULL) && (msgLen > 0)) ||
25022503
(sig == NULL) || (inout_sig_len == NULL) ||
@@ -2557,7 +2558,7 @@ int wh_Client_Ed25519SignDma(whClientContext* ctx, ed25519_key* key,
25572558
req->type = type;
25582559
req->ctxSz = contextLen;
25592560
req->msg.sz = msgLen;
2560-
req->sig.sz = (inout_sig_len != NULL) ? *inout_sig_len : 0;
2561+
req->sig.sz = inSigLen;
25612562
if ((context != NULL) && (contextLen > 0)) {
25622563
memcpy(req_ctx, context, contextLen);
25632564
}
@@ -2611,10 +2612,10 @@ int wh_Client_Ed25519SignDma(whClientContext* ctx, ed25519_key* key,
26112612
}
26122613

26132614
(void)wh_Client_DmaProcessClientAddress(
2614-
ctx, (uintptr_t)sig, (void**)&sigAddr, req->sig.sz,
2615+
ctx, (uintptr_t)sig, (void**)&sigAddr, inSigLen,
26152616
WH_DMA_OPER_CLIENT_WRITE_POST, (whDmaFlags){0});
26162617
(void)wh_Client_DmaProcessClientAddress(
2617-
ctx, (uintptr_t)msg, (void**)&msgAddr, req->msg.sz,
2618+
ctx, (uintptr_t)msg, (void**)&msgAddr, msgLen,
26182619
WH_DMA_OPER_CLIENT_READ_POST, (whDmaFlags){0});
26192620
}
26202621

@@ -2756,10 +2757,10 @@ int wh_Client_Ed25519VerifyDma(whClientContext* ctx, ed25519_key* key,
27562757
}
27572758

27582759
(void)wh_Client_DmaProcessClientAddress(
2759-
ctx, (uintptr_t)msg, (void**)&msgAddr, req->msg.sz,
2760+
ctx, (uintptr_t)msg, (void**)&msgAddr, msgLen,
27602761
WH_DMA_OPER_CLIENT_READ_POST, (whDmaFlags){0});
27612762
(void)wh_Client_DmaProcessClientAddress(
2762-
ctx, (uintptr_t)sig, (void**)&sigAddr, req->sig.sz,
2763+
ctx, (uintptr_t)sig, (void**)&sigAddr, sigLen,
27632764
WH_DMA_OPER_CLIENT_READ_POST, (whDmaFlags){0});
27642765
}
27652766

@@ -4119,13 +4120,13 @@ int wh_Client_Sha256Dma(whClientContext* ctx, wc_Sha256* sha, const uint8_t* in,
41194120
if (in != NULL || out != NULL) {
41204121
/* post operation address translations */
41214122
(void)wh_Client_DmaProcessClientAddress(
4122-
ctx, (uintptr_t)sha256, (void**)&stateAddr, req->state.sz,
4123+
ctx, (uintptr_t)sha256, (void**)&stateAddr, sizeof(*sha256),
41234124
WH_DMA_OPER_CLIENT_WRITE_POST, (whDmaFlags){0});
41244125
(void)wh_Client_DmaProcessClientAddress(
4125-
ctx, (uintptr_t)in, (void**)&inAddr, req->input.sz,
4126+
ctx, (uintptr_t)in, (void**)&inAddr, inLen,
41264127
WH_DMA_OPER_CLIENT_READ_POST, (whDmaFlags){0});
41274128
(void)wh_Client_DmaProcessClientAddress(
4128-
ctx, (uintptr_t)out, (void**)&outAddr, req->output.sz,
4129+
ctx, (uintptr_t)out, (void**)&outAddr, WC_SHA256_DIGEST_SIZE,
41294130
WH_DMA_OPER_CLIENT_WRITE_POST, (whDmaFlags){0});
41304131
}
41314132

@@ -4401,13 +4402,13 @@ int wh_Client_Sha224Dma(whClientContext* ctx, wc_Sha224* sha, const uint8_t* in,
44014402

44024403
if (in != NULL || out != NULL) {
44034404
(void)wh_Client_DmaProcessClientAddress(
4404-
ctx, (uintptr_t)sha224, (void**)&stateAddr, req->state.sz,
4405+
ctx, (uintptr_t)sha224, (void**)&stateAddr, sizeof(*sha224),
44054406
WH_DMA_OPER_CLIENT_WRITE_POST, (whDmaFlags){0});
44064407
(void)wh_Client_DmaProcessClientAddress(
4407-
ctx, (uintptr_t)in, (void**)&inAddr, req->input.sz,
4408+
ctx, (uintptr_t)in, (void**)&inAddr, inLen,
44084409
WH_DMA_OPER_CLIENT_READ_POST, (whDmaFlags){0});
44094410
(void)wh_Client_DmaProcessClientAddress(
4410-
ctx, (uintptr_t)out, (void**)&outAddr, req->output.sz,
4411+
ctx, (uintptr_t)out, (void**)&outAddr, WC_SHA224_DIGEST_SIZE,
44114412
WH_DMA_OPER_CLIENT_WRITE_POST, (whDmaFlags){0});
44124413
}
44134414
return ret;
@@ -4682,13 +4683,13 @@ int wh_Client_Sha384Dma(whClientContext* ctx, wc_Sha384* sha, const uint8_t* in,
46824683

46834684
if (in != NULL || out != NULL) {
46844685
(void)wh_Client_DmaProcessClientAddress(
4685-
ctx, (uintptr_t)sha384, (void**)&stateAddr, req->state.sz,
4686+
ctx, (uintptr_t)sha384, (void**)&stateAddr, sizeof(*sha384),
46864687
WH_DMA_OPER_CLIENT_WRITE_POST, (whDmaFlags){0});
46874688
(void)wh_Client_DmaProcessClientAddress(
4688-
ctx, (uintptr_t)in, (void**)&inAddr, req->input.sz,
4689+
ctx, (uintptr_t)in, (void**)&inAddr, inLen,
46894690
WH_DMA_OPER_CLIENT_READ_POST, (whDmaFlags){0});
46904691
(void)wh_Client_DmaProcessClientAddress(
4691-
ctx, (uintptr_t)out, (void**)&outAddr, req->output.sz,
4692+
ctx, (uintptr_t)out, (void**)&outAddr, WC_SHA384_DIGEST_SIZE,
46924693
WH_DMA_OPER_CLIENT_WRITE_POST, (whDmaFlags){0});
46934694
}
46944695
return ret;
@@ -4975,13 +4976,13 @@ int wh_Client_Sha512Dma(whClientContext* ctx, wc_Sha512* sha, const uint8_t* in,
49754976

49764977
if (in != NULL || out != NULL) {
49774978
(void)wh_Client_DmaProcessClientAddress(
4978-
ctx, (uintptr_t)sha512, (void**)&stateAddr, req->state.sz,
4979+
ctx, (uintptr_t)sha512, (void**)&stateAddr, sizeof(*sha512),
49794980
WH_DMA_OPER_CLIENT_WRITE_POST, (whDmaFlags){0});
49804981
(void)wh_Client_DmaProcessClientAddress(
4981-
ctx, (uintptr_t)in, (void**)&inAddr, req->input.sz,
4982+
ctx, (uintptr_t)in, (void**)&inAddr, inLen,
49824983
WH_DMA_OPER_CLIENT_READ_POST, (whDmaFlags){0});
49834984
(void)wh_Client_DmaProcessClientAddress(
4984-
ctx, (uintptr_t)out, (void**)&outAddr, req->output.sz,
4985+
ctx, (uintptr_t)out, (void**)&outAddr, WC_SHA512_DIGEST_SIZE,
49854986
WH_DMA_OPER_CLIENT_WRITE_POST, (whDmaFlags){0});
49864987
}
49874988
return ret;
@@ -5776,10 +5777,10 @@ int wh_Client_MlDsaSignDma(whClientContext* ctx, const byte* in, word32 in_len,
57765777
}
57775778

57785779
(void)wh_Client_DmaProcessClientAddress(
5779-
ctx, (uintptr_t)out, (void**)&outAddr, req->sig.sz,
5780+
ctx, (uintptr_t)out, (void**)&outAddr, *out_len,
57805781
WH_DMA_OPER_CLIENT_WRITE_POST, (whDmaFlags){0});
57815782
(void)wh_Client_DmaProcessClientAddress(
5782-
ctx, (uintptr_t)in, (void**)&inAddr, req->msg.sz,
5783+
ctx, (uintptr_t)in, (void**)&inAddr, in_len,
57835784
WH_DMA_OPER_CLIENT_READ_POST, (whDmaFlags){0});
57845785
}
57855786
else {

0 commit comments

Comments
 (0)