fix F-4409: Integer Overflow in PKCS1 Sign Length Check Allows Heap Buffer Overflow

This commit is contained in:
Daniel Pouzzner
2026-06-12 18:14:04 -05:00
parent 8624bca5b5
commit 1b22e4b502
+3 -3
View File
@@ -1128,7 +1128,7 @@ static int km_pkcs1pad_sign(struct akcipher_request *req)
goto pkcs1pad_sign_out;
}
if (req->src_len + hash_enc_len + RSA_MIN_PAD_SZ > ctx->key_len) {
if ((word64)req->src_len + (word64)hash_enc_len + RSA_MIN_PAD_SZ > ctx->key_len) {
err = -EOVERFLOW;
goto pkcs1pad_sign_out;
}
@@ -1378,7 +1378,7 @@ static int km_pkcs1_sign(struct crypto_sig *tfm,
goto pkcs1_sign_out;
}
if (slen + hash_enc_len + RSA_MIN_PAD_SZ > ctx->key_len) {
if ((word64)slen + (word64)hash_enc_len + RSA_MIN_PAD_SZ > ctx->key_len) {
err = -EOVERFLOW;
goto pkcs1_sign_out;
}
@@ -1708,7 +1708,7 @@ static int km_pkcs1pad_enc(struct akcipher_request *req)
goto pkcs1_enc_out;
}
if (req->src_len + RSA_MIN_PAD_SZ > ctx->key_len) {
if ((word64)req->src_len + RSA_MIN_PAD_SZ > ctx->key_len) {
err = -EOVERFLOW;
goto pkcs1_enc_out;
}