Fix array bound checking in credentials filtering with no allowList

count is an index into the creds array in getAssertionState, and it is checked against the array bounds before data are copied. The array contains space for ALLOW_LIST_MAX_SIZE entries but we are only filling it up to ALLOW_LIST_MAX_SIZE - 1 since the loop terminates early.
solokeys · Mar 30, 2020 · 0955619 · 0955619
1 parent 05bc8be
commit 0955619
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/fido2/ctap.c b/fido2/ctap.c
@@ -1013,7 +1013,7 @@ int ctap_filter_invalid_credentials(CTAP_getAssertion * GA)
             if (memcmp(rk.id.rpIdHash, rpIdHash, 32) == 0)
             {
                 printf1(TAG_GA, "RK %d is a rpId match!\r\n", i);
-                if (count == ALLOW_LIST_MAX_SIZE-1)
+                if (count > ALLOW_LIST_MAX_SIZE-1)
                 {
                     printf2(TAG_ERR, "not enough ram allocated for matching RK's (%d).  Skipping.\r\n", count);
                     break;