[PATCH] Check curve_name for null to avoid crash

Sean Anderson seanga2 at gmail.com
Fri Feb 23 02:24:20 CET 2024


On 2/22/24 17:18, Bob Wolff wrote:
> If mixed rsa and ecdsa keys are specified in dtsi, an rsa key can be sent
> into the ecdsa verify. Without the ecdsa,curve property, this function will
> crash due to lack of checking the null pointer return.

nit: there should be a blank line here

> Signed-off-by: Bob Wolff <bob.wolff68 at gmail.com>
> ---
> 
>   lib/ecdsa/ecdsa-verify.c | 5 +++++
>   1 file changed, 5 insertions(+)
> 
> diff --git a/lib/ecdsa/ecdsa-verify.c b/lib/ecdsa/ecdsa-verify.c
> index 0601700c4f..4d1835b598 100644
> --- a/lib/ecdsa/ecdsa-verify.c
> +++ b/lib/ecdsa/ecdsa-verify.c
> @@ -31,6 +31,11 @@ static int fdt_get_key(struct ecdsa_public_key *key, const void *fdt, int node)
>   	int x_len, y_len;
>   
>   	key->curve_name = fdt_getprop(fdt, node, "ecdsa,curve", NULL);
> +	if (!key->curve_name) {
> +		debug("Error: ecdsa cannot get 'ecdsa,curve' property from key. Likely not an ecdsa key.\n");
> +		return -ENOMSG;
> +	}
> +
>   	key->size_bits = ecdsa_key_size(key->curve_name);
>   	if (key->size_bits == 0) {
>   		debug("Unknown ECDSA curve '%s'", key->curve_name);

Reviewed-by: Sean Anderson <seanga2 at gmail.com>


More information about the U-Boot mailing list