From ae4766ae96d0dcb5167492ec9e2b985d42324e84 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Fri, 10 Sep 2021 16:49:42 -0600 Subject: [PATCH] add sanity check on buffer size --- wolfcrypt/src/asn.c | 4 ++++ wolfcrypt/test/test.c | 18 ++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 69f03006a..c27c18b84 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -26934,6 +26934,10 @@ static int DecodeAsymKeyPublic(const byte* input, word32* inOutIdx, word32 inSz, if (ret != 0) return ret; + /* check that the value found is not too large for pubKey buffer */ + if (inSz - *inOutIdx > *pubKeyLen) + return ASN_PARSE_E; + /* This is the raw point data compressed or uncompressed. */ *pubKeyLen = inSz - *inOutIdx; XMEMCPY(pubKey, input + *inOutIdx, *pubKeyLen); diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 0247bbb8e..2b0814b35 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -26031,6 +26031,17 @@ WOLFSSL_TEST_SUBROUTINE int ed25519_test(void) 0xda,0xa6,0x23,0x25,0xaf,0x02,0x1a,0x68, 0xf7,0x07,0x51,0x1a }; + + /* size has been altered to catch if sanity check is done */ + static byte badPublicEd25519[] = { + 0x30,0x2a,0x30,0x05,0x06,0x03,0x2b,0x65, + 0x70,0x03,0x21,0x00,0xd7,0x5a,0x98,0x01, + 0x82,0xb1,0x0a,0xb7,0xd5,0x4b,0xfe,0xd3, + 0xc9,0x64,0x07,0x3a,0x0e,0xe1,0x72,0xf3, + 0xda,0xa6,0x23,0x25,0xaf,0x02,0x1a,0x68, + 0xf7,0x07,0x51,0x1a, + 0x00 /* add an additional byte to make the pubkey appear bigger */ + }; static byte privPubEd25519[] = { 0x30,0x52,0x02,0x01,0x00,0x30,0x05,0x06, 0x03,0x2b,0x65,0x70,0x04,0x22,0x04,0x20, @@ -26167,6 +26178,13 @@ WOLFSSL_TEST_SUBROUTINE int ed25519_test(void) != BAD_FUNC_ARG) return -11131; + + /* try with a buffer size that is too large */ + idx = 0; + if (wc_Ed25519PublicKeyDecode(badPublicEd25519, &idx, &key3, + sizeof(badPublicEd25519)) == 0) + return -11140; + idx = 0; if (wc_Ed25519PublicKeyDecode(publicEd25519, &idx, &key3, sizeof(publicEd25519)) != 0)