diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 7f5cd57d3..c12ec7adc 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -4403,11 +4403,21 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf, ret = ASN_PARSE_E; if (ret == 0) { - /* Use single OCTET_STRING directly. */ - if (localIdx - start + length == (word32)contentLen) + /* Use single OCTET_STRING directly, or reset length. */ + if (localIdx - start + length == (word32)contentLen) { multiPart = 0; + } else { + /* reset length to outer OCTET_STRING for bundle size + * check below */ + length = contentLen; + } localIdx = start; } + + if (ret != 0) { + /* failed ASN1 parsing during OCTET_STRING checks */ + break; + } } /* get length of content in case of single part */ @@ -4425,6 +4435,16 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf, /* support using header and footer without content */ if (pkiMsg2 && pkiMsg2Sz > 0 && hashBuf && hashSz > 0) { localIdx = 0; + + } else if (pkiMsg2 == NULL && hashBuf == NULL) { + /* header/footer not separate, check content length is + * not larger than total bundle size */ + if ((localIdx + length) > pkiMsgSz) { + WOLFSSL_MSG("Content length detected is larger than " + "total bundle size"); + ret = BUFFER_E; + break; + } } idx = localIdx; } @@ -4440,7 +4460,10 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf, if (!degenerate && !detached && ret != 0) break; - length = 0; /* no content to read */ + /* no content to read */ + length = 0; + contentLen = 0; + pkiMsg2 = pkiMsg; pkiMsg2Sz = pkiMsgSz; }