RFR: JDK-6676643: Improve current C_GetAttributeValue native implementation
Greg Rubin
github.com+829871+salusasecondus at openjdk.java.net
Tue Apr 27 15:15:36 UTC 2021
On Tue, 27 Apr 2021 04:28:26 GMT, Greg Rubin <github.com+829871+SalusaSecondus at openjdk.org> wrote:
>> Anyone can help review this somewhat trivial fix? The main change is inside src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_objmgmt.c. This is to help better troubleshooting by reporting the type of unavailable attributes in PKCS11 exception message when C_GetAttributeValue(...) call failed. The java file changes are just cleanup for consolidating the CKR_* constants definition into PKCS11Exception class.
>>
>> Thanks,
>> Valerie
>
> src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_objmgmt.c line 262:
>
>> 260: temp1 = msg;
>> 261: temp2 = msg + 80;
>> 262: for (i = 0; i < ckAttributesLength && temp1 < temp2; i++) {
>
> I think that this loop will append at most 11 bytes to the string each time (is this correct?), if so, we can make the check `temp1 < temp2 - 12` to count the final null and avoid running off the end with a buffer overflow.
I apologize. This counting code is correct and doesn't have any of the issues I claimed. `snprintf` takes care of everything and I just missed it last night.
-------------
PR: https://git.openjdk.java.net/jdk/pull/3709
More information about the security-dev
mailing list