feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

do bounds check on full word32 size to match

Browse Source 
inputBuffer length
This commit is contained in:
John Bland
2024-01-03 17:21:08 -05:00
parent e641c6b738
commit e1435e96d2
1 changed files with 9 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/internal.c
View File

@@ -21162,16 +21162,19 @@ default:
ssl->keys.decryptedCur = 1; ssl->keys.decryptedCur = 1;
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
if (ssl->options.tls1_3) { if (ssl->options.tls1_3) {
/* end of plaintext */ /* check that the end of the logical length doesn't extend
word16 i = (word16)(ssl->buffers.inputBuffer.idx + * past the real buffer */
ssl->curSize - ssl->specs.aead_mac_size); word32 boundsCheck = (ssl->buffers.inputBuffer.idx +
ssl->curSize - ssl->specs.aead_mac_size);
/* check i isn't too big and won't wrap around on --i */ if (boundsCheck > ssl->buffers.inputBuffer.length ||
if (i > ssl->buffers.inputBuffer.length || i == 0) { boundsCheck == 0) {
WOLFSSL_ERROR(BUFFER_ERROR); WOLFSSL_ERROR(BUFFER_ERROR);
return BUFFER_ERROR; return BUFFER_ERROR;
} }
/* end of plaintext */
word16 i = (word16)(boundsCheck);
/* Remove padding from end of plain text. */ /* Remove padding from end of plain text. */
for (--i; i > ssl->buffers.inputBuffer.idx; i--) { for (--i; i > ssl->buffers.inputBuffer.idx; i--) {
if (ssl->buffers.inputBuffer.buffer[i] != 0) if (ssl->buffers.inputBuffer.buffer[i] != 0)