More PKCS#7 bounds checks

This commit is contained in:
Tobias Frauenschläger
2026-04-14 13:51:28 +02:00
parent 46f3ebb0c6
commit 4e423fde17
+23 -3
View File
@@ -7046,6 +7046,9 @@ static int PKCS7_VerifySignedData(wc_PKCS7* pkcs7, const byte* hashBuf,
idx += (word32)length;
}
else if (ret == 0) {
ret = ASN_PARSE_E;
}
pkcs7->content = content;
pkcs7->contentSz = (word32)contentSz;
@@ -9626,7 +9629,7 @@ static int wc_PKCS7_PwriKek_KeyUnWrap(wc_PKCS7* pkcs7, const byte* kek,
cekLen = outTmp[0];
/* verify length */
fail |= ctMaskGT(cekLen, (int)inSz);
fail |= ctMaskGT(cekLen, (int)inSz - 4);
/* verify check bytes */
fail |= ctMaskNotEq((int)(outTmp[1] ^ outTmp[4]), 0xFF);
fail |= ctMaskNotEq((int)(outTmp[2] ^ outTmp[5]), 0xFF);
@@ -11933,7 +11936,9 @@ static int wc_PKCS7_DecryptKekri(wc_PKCS7* pkcs7, byte* in, word32 inSz,
&datePtr, &dateFormat, &dateLen) != 0) {
return ASN_PARSE_E;
}
*idx += (word32)(dateLen + 1);
/* datePtr points to the start of the date value
* within pkiMsg; advance past the full TLV. */
*idx = (word32)(datePtr - pkiMsg) + (word32)dateLen;
}
if (*idx > pkiMsgSz) {
@@ -13102,6 +13107,14 @@ int wc_PKCS7_DecodeEnvelopedData(wc_PKCS7* pkcs7, byte* in,
ret = ASN_PARSE_E;
}
#ifdef NO_PKCS7_STREAM
if (ret == 0 && encryptedContentTotalSz > (int)(pkiMsgSz - idx)) {
/* In non-streaming mode, ensure the content fits in the buffer.
* Streaming mode handles this via AddDataToStream. */
ret = BUFFER_E;
}
#endif
if (ret != 0)
break;
@@ -15355,6 +15368,12 @@ int wc_PKCS7_DecodeEncryptedData(wc_PKCS7* pkcs7, byte* in, word32 inSz,
pkiMsgSz, NO_USER_CHECK) <= 0)
ret = ASN_PARSE_E;
#ifdef NO_PKCS7_STREAM
if (ret == 0 && encryptedContentSz > (int)(pkiMsgSz - idx)) {
ret = BUFFER_E;
}
#endif
if (ret < 0)
break;
#ifndef NO_PKCS7_STREAM
@@ -15392,7 +15411,8 @@ int wc_PKCS7_DecodeEncryptedData(wc_PKCS7* pkcs7, byte* in, word32 inSz,
version = (int)pkcs7->stream->vers;
tmpIv = pkcs7->stream->tmpIv;
#endif
if (encryptedContentSz <= 0) {
if (encryptedContentSz <= 0 ||
encryptedContentSz > (int)(pkiMsgSz - idx)) {
ret = BUFFER_E;
break;
}