mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-06 08:20:58 +02:00
Scope PKCS7 truncation check to NO_PKCS7_STREAM and guard test underflow
- pkcs7.c: wrap the AuthEnvelopedData encryptedContentSz bounds check entirely in #ifdef NO_PKCS7_STREAM so the default streaming build carries no empty/no-op branch (behavior unchanged). - test_pkcs7.c: assert the encoded size is >32 so the encSz-32 and encSz-1 truncations can't underflow.
This commit is contained in:
@@ -2895,8 +2895,9 @@ int test_wc_PKCS7_DecodeAuthEnvelopedData_truncated(void)
|
||||
pkcs7->contentOID = DATA;
|
||||
pkcs7->encryptOID = AES128GCMb;
|
||||
}
|
||||
/* >32 so the encSz-32 / encSz-1 truncations below can't underflow */
|
||||
ExpectIntGT(encSz = wc_PKCS7_EncodeAuthEnvelopedData(pkcs7, enveloped,
|
||||
sizeof(enveloped)), 0);
|
||||
sizeof(enveloped)), 32);
|
||||
wc_PKCS7_Free(pkcs7);
|
||||
pkcs7 = NULL;
|
||||
|
||||
|
||||
@@ -14968,11 +14968,11 @@ int wc_PKCS7_DecodeAuthEnvelopedData(wc_PKCS7* pkcs7, byte* in,
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef NO_PKCS7_STREAM
|
||||
if (ret == 0 && encryptedContentSz > (int)(pkiMsgSz - idx)) {
|
||||
#ifdef NO_PKCS7_STREAM
|
||||
ret = BUFFER_E;
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
|
||||
if (ret < 0)
|
||||
break;
|
||||
|
||||
Reference in New Issue
Block a user