commit c6fa98d2ed1816d88e8517cd988de186fd6477b8
author Randall Spangler <rspangler@chromium.org> Tue Sep 23 16:30:37 2014 -0700
committer chrome-internal-fetch <chrome-internal-fetch@google.com> Wed Sep 24 21:17:57 2014 +0000
tree b2f1eb5ad7921795cdb51d62154ae53b4853f7e3
parent 779796f57e1e0236ea502248ede2cbea986fca21

vboot2: Fix potential null pointer dereference

If key is null in vb2_verify_digest(), we could attempt to dereference
it.  In practice it never is, but for safety's sake we should avoid
the reference.

BUG=chrome-os-partner:32235
BRANCH=none
TEST=VBOOT2=1 make runtests

Change-Id: I5a817e432922ea4c3b439b696cd2f8d988d0fecc
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/219574
Reviewed-by: Bill Richardson <wfrichar@chromium.org>

firmware/2lib/2rsa.c

diff --git a/firmware/2lib/2rsa.c b/firmware/2lib/2rsa.c
index cc39b1d..47ef179 100644
--- a/firmware/2lib/2rsa.c
+++ b/firmware/2lib/2rsa.c
@@ -313,7 +313,7 @@
 {
 	struct vb2_workbuf wblocal = *wb;
 	uint32_t *workbuf32;
-	uint32_t key_bytes = key->arrsize * sizeof(uint32_t);
+	uint32_t key_bytes;
 	int pad_size;
 	int rv;
 
@@ -326,6 +326,7 @@
 	}
 
 	/* Signature length should be same as key length */
+	key_bytes = key->arrsize * sizeof(uint32_t);
 	if (key_bytes != vb2_rsa_sig_size(key->algorithm)) {
 		VB2_DEBUG("Signature is of incorrect length!\n");
 		return VB2_ERROR_RSA_VERIFY_SIG_LEN;