chaps: Police invalid attribute length

The value (CK_ULONG)-1 is used on C_GetAttributeValue to indicate
an error for a particular attribute; as such, this value survives
serialization (in

However, if an incorrect application turns around and uses this
length value for an attribute on a call to C_SetAttributeValue,
we need to ensure that this doesn't crash chapsd.

In particular, watch out for this specific error value in
ObjectImpl::SetAttributes(); other erroneously-huge values
will only cause problems client-side (because the serialization
will fail).

TEST=Chaps unit tests (with ASAN) plus PKCS11 tests

Change-Id: If9d1eb4fa66591691039efaaa7333ddbd3abdeac
Reviewed-by: Darren Krahn <>
Commit-Queue: David Drysdale <>
Tested-by: David Drysdale <>
2 files changed