RSA OOB Read

Added a check of the length of the RSA signature before verifying it. The
signature's length needs to be at least 2 bytes as the wolfCrypt padding
check assumes it is at least 2 bytes long. (ZD10358)

src/internal.c

@@ -284,6 +284,9 @@ const char* GetErrorString(int err)
         case WS_DH_SIZE_E:
             return "DH prime group size larger than expected";
 
+        case WS_PUBKEY_SIG_MIN_E:
+            return "pubkey signature too small";
+
         default:
             return "Unknown error code";
     }
@@ -2843,8 +2846,14 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
             if (ret == WS_SUCCESS) {
                 if (sigKeyBlock.useRsa) {
                     sig = sig + begin;
+                    /* In the fuzz, sigSz ends up 1 and it has issues. */
                     sigSz = scratch;
 
+                    if (sigSz < MIN_RSA_SIG_SZ) {
+                        WLOG(WS_LOG_DEBUG, "Provided signature is too small.");
+                        ret = WS_RSA_E;
+                    }
+
                     if (sigSz + begin + tmpIdx > len) {
                         WLOG(WS_LOG_DEBUG,
                                 "Signature size found would result in error 2");

wolfssh/error.h

@@ -113,8 +113,9 @@ enum WS_ErrorCodes {
     WS_WINDOW_FULL          = -1073,
     WS_MISSING_CALLBACK     = -1074, /* Callback is missing */
     WS_DH_SIZE_E            = -1075, /* DH prime larger than expected */
+    WS_PUBKEY_SIG_MIN_E     = -1076, /* Signature too small */
 
-    WS_LAST_E               = -1075  /* Update this to indicate last error */
+    WS_LAST_E               = -1076  /* Update this to indicate last error */
 };
 
 

wolfssh/internal.h

@@ -112,6 +112,7 @@ enum {
 #define MAX_INTEGRITY 2
 #define MAX_KEY_EXCHANGE 2
 #define MAX_PUBLIC_KEY 1
+#define MIN_RSA_SIG_SZ 2
 #define MAX_HMAC_SZ WC_SHA256_DIGEST_SIZE
 #define MIN_BLOCK_SZ 8
 #define COOKIE_SZ 16