mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 16:40:49 +02:00
More PKCS#7 bounds checks
This commit is contained in:
+23
-3
@@ -7046,6 +7046,9 @@ static int PKCS7_VerifySignedData(wc_PKCS7* pkcs7, const byte* hashBuf,
|
||||
|
||||
idx += (word32)length;
|
||||
}
|
||||
else if (ret == 0) {
|
||||
ret = ASN_PARSE_E;
|
||||
}
|
||||
|
||||
pkcs7->content = content;
|
||||
pkcs7->contentSz = (word32)contentSz;
|
||||
@@ -9626,7 +9629,7 @@ static int wc_PKCS7_PwriKek_KeyUnWrap(wc_PKCS7* pkcs7, const byte* kek,
|
||||
cekLen = outTmp[0];
|
||||
|
||||
/* verify length */
|
||||
fail |= ctMaskGT(cekLen, (int)inSz);
|
||||
fail |= ctMaskGT(cekLen, (int)inSz - 4);
|
||||
/* verify check bytes */
|
||||
fail |= ctMaskNotEq((int)(outTmp[1] ^ outTmp[4]), 0xFF);
|
||||
fail |= ctMaskNotEq((int)(outTmp[2] ^ outTmp[5]), 0xFF);
|
||||
@@ -11933,7 +11936,9 @@ static int wc_PKCS7_DecryptKekri(wc_PKCS7* pkcs7, byte* in, word32 inSz,
|
||||
&datePtr, &dateFormat, &dateLen) != 0) {
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
*idx += (word32)(dateLen + 1);
|
||||
/* datePtr points to the start of the date value
|
||||
* within pkiMsg; advance past the full TLV. */
|
||||
*idx = (word32)(datePtr - pkiMsg) + (word32)dateLen;
|
||||
}
|
||||
|
||||
if (*idx > pkiMsgSz) {
|
||||
@@ -13102,6 +13107,14 @@ int wc_PKCS7_DecodeEnvelopedData(wc_PKCS7* pkcs7, byte* in,
|
||||
ret = ASN_PARSE_E;
|
||||
}
|
||||
|
||||
#ifdef NO_PKCS7_STREAM
|
||||
if (ret == 0 && encryptedContentTotalSz > (int)(pkiMsgSz - idx)) {
|
||||
/* In non-streaming mode, ensure the content fits in the buffer.
|
||||
* Streaming mode handles this via AddDataToStream. */
|
||||
ret = BUFFER_E;
|
||||
}
|
||||
#endif
|
||||
|
||||
if (ret != 0)
|
||||
break;
|
||||
|
||||
@@ -15355,6 +15368,12 @@ int wc_PKCS7_DecodeEncryptedData(wc_PKCS7* pkcs7, byte* in, word32 inSz,
|
||||
pkiMsgSz, NO_USER_CHECK) <= 0)
|
||||
ret = ASN_PARSE_E;
|
||||
|
||||
#ifdef NO_PKCS7_STREAM
|
||||
if (ret == 0 && encryptedContentSz > (int)(pkiMsgSz - idx)) {
|
||||
ret = BUFFER_E;
|
||||
}
|
||||
#endif
|
||||
|
||||
if (ret < 0)
|
||||
break;
|
||||
#ifndef NO_PKCS7_STREAM
|
||||
@@ -15392,7 +15411,8 @@ int wc_PKCS7_DecodeEncryptedData(wc_PKCS7* pkcs7, byte* in, word32 inSz,
|
||||
version = (int)pkcs7->stream->vers;
|
||||
tmpIv = pkcs7->stream->tmpIv;
|
||||
#endif
|
||||
if (encryptedContentSz <= 0) {
|
||||
if (encryptedContentSz <= 0 ||
|
||||
encryptedContentSz > (int)(pkiMsgSz - idx)) {
|
||||
ret = BUFFER_E;
|
||||
break;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user