Merge pull request #3158 from kaleb-himes/ZD10580_R2

Address buffer underflow, thanks to J.S. for the report on ZD10580
2020-07-27 16:42:42 -07:00 · 2020-07-27 16:42:42 -07:00 · f46e08e9ea
parent 5ef7ff6054 3c5c0f88d4
commit f46e08e9ea
1 changed files with 16 additions and 3 deletions
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@ -10566,9 +10566,22 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
 #ifndef NO_WOLFSSL_SKIP_TRAILING_PAD
                #ifndef NO_DES3
                    if (info->cipherType == WC_CIPHER_DES3) {
-                        padVal = der->buffer[der->length-1];
-                        if (padVal <= DES_BLOCK_SIZE) {
-                            der->length -= padVal;
+                        /* Assuming there is padding:
+                         *      (der->length > 0 &&
+                         *       (der->length % DES_BLOCK_SIZE) != 0)
+                         * and assuming the last value signifies the number of
+                         * padded bytes IE if last value is 0x08 then there are
+                         * 8 bytes of padding:
+                         *      padVal = der->buffer[der->length-1];
+                         * then strip this padding before proceeding:
+                         * der->length -= padVal;
+                         */
+                        if (der->length > 0 &&
+                            (der->length % DES_BLOCK_SIZE) != 0) {
+                            padVal = der->buffer[der->length-1];
+                            if (padVal <= DES_BLOCK_SIZE) {
+                                der->length -= padVal;
+                            }
                        }
                    }
                #endif /* !NO_DES3 */