PKCS#7: fix use after free in wc_DecodeKtri

2016-12-14 09:15:45 -07:00 · 2016-12-14 09:15:45 -07:00 · 55554b79a9
parent e5d1e3ae10
commit 55554b79a9
1 changed files with 9 additions and 5 deletions
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@ -2600,13 +2600,12 @@ static int wc_PKCS7_DecodeKtri(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz,
    }
    wc_FreeRsaKey(privKey);

-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(privKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-
    if (keySz <= 0 || outKey == NULL) {
        ForceZero(encryptedKey, MAX_ENCRYPTED_KEY_SZ);
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(privKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
        return keySz;
    } else {
        *decryptedKeySz = keySz;
@ -2614,6 +2613,11 @@ static int wc_PKCS7_DecodeKtri(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz,
        ForceZero(encryptedKey, MAX_ENCRYPTED_KEY_SZ);
    }

+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(privKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
    return 0;
 }