Fix object collision (same ids, different type) in update_store_size

wolfSSL · Aug 12, 2024 · 6bfdf0a · 6bfdf0a
1 parent ae3c86a
commit 6bfdf0a
Showing 1 changed file with 11 additions and 16 deletions.
diff --git a/src/pkcs11_store.c b/src/pkcs11_store.c
@@ -336,19 +336,19 @@ static struct obj_hdr *create_object(int32_t type, uint32_t tok_id, uint32_t obj
     return NULL; /* No space left in the nodes table */
 }
 
-static void update_store_size(uint32_t tok_id, uint32_t obj_id, uint32_t size)
+static void update_store_size(struct obj_hdr *hdr, uint32_t size)
 {
-    struct obj_hdr *hdr = (struct obj_hdr *)cached_sector;
+    uint32_t off;
+    struct obj_hdr *hdr_mem;
+    if (((uint8_t *)hdr) < vault_base ||
+        ((uint8_t *)hdr > vault_base + WOLFBOOT_SECTOR_SIZE))
+        return;
     check_vault();
+    off = (uint32_t)hdr - (uint32_t)vault_base;
     memcpy(cached_sector, vault_base, WOLFBOOT_SECTOR_SIZE);
-    while ((uintptr_t)hdr < ((uintptr_t)cached_sector + WOLFBOOT_SECTOR_SIZE)) {
-        if ((hdr->token_id == tok_id) && (hdr->object_id == obj_id)) {
-            hdr->size = size;
-            cache_commit(0);
-            return;
-        }
-        hdr++;
-    }
+    hdr_mem = (struct obj_hdr *)(cached_sector + off);
+    hdr_mem->size = size;
+    cache_commit(0);
 }
 
 /* Find a free handle in openstores_handles[] array
@@ -468,8 +468,6 @@ int wolfPKCS11_Store_Read(void* store, unsigned char* buffer, int len)
 int wolfPKCS11_Store_Write(void* store, unsigned char* buffer, int len)
 {
     struct store_handle *handle = store;
-    uint32_t *tok_obj_id;
-    uint32_t tok_id, obj_id;
     uint32_t obj_size = 0;
     uint32_t in_sector_offset = 0;
     uint32_t in_sector_len = 0;
@@ -482,9 +480,6 @@ int wolfPKCS11_Store_Write(void* store, unsigned char* buffer, int len)
     if ((handle->flags & STORE_FLAGS_READONLY) != 0)
         return -1;
 
-    tok_obj_id = (uint32_t *)handle->buffer;
-    tok_id = tok_obj_id[0];
-    obj_id = tok_obj_id[1];
     obj_size = handle->hdr->size;
     if (obj_size > KEYVAULT_OBJ_SIZE)
         return -1;
@@ -515,6 +510,6 @@ int wolfPKCS11_Store_Write(void* store, unsigned char* buffer, int len)
         cache_commit((uint32_t)sector_base - (uint32_t)vault_base);
     }
     obj_size += written;
-    update_store_size(tok_id, obj_id, obj_size);
+    update_store_size(handle->hdr, obj_size);
     return len;
 }