Hi there,
looking at the code of key_mgr_unwrap_key (in usr/lib/pkcs11/common/key_mgr.c)
I found that on error the wrong key object could be freed.
At the beginning of the function key_obj variable is used to check
that there is a valid reference for the wrapping key. If an error
occur before line 1243 (where key_obj is used to store the handle for the
new object) and the execution jump to the error label, the wrapping key object
will be freed, while that instruction there is meant to free the unwrapped key
in case of error.
The attached patch should solve the issue.
cheers,
matteo.
--- key_mgr.c.orig 2010-07-29 16:30:12.000000000 +0200
+++ key_mgr.c 2010-07-29 16:20:03.000000000 +0200
@@ -1059,6 +1059,10 @@
return CKR_WRAPPING_KEY_HANDLE_INVALID;
}
+ // "clean" key_obj pointer: it hs been used to check that
+ // // the provided wrappig key has a valid handle on the token
+ key_obj = NULL;
+
found_class = FALSE;
found_type = FALSE;
------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm
_______________________________________________
Opencryptoki-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
