diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index d12a47a86..c2b40b5ba 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -63,6 +63,16 @@ enum { #endif +#ifndef min + + static INLINE word32 min(word32 a, word32 b) + { + return a > b ? b : a; + } + +#endif /* min */ + + #ifdef THREADX /* uses parital structures */ #define XTIME(tl) (0) @@ -2710,7 +2720,7 @@ static int SetMyVersion(word32 version, byte* output, int header) } output[i++] = ASN_INTEGER; output[i++] = 0x01; - output[i++] = version; + output[i++] = (byte)version; return i; } @@ -3183,8 +3193,6 @@ static const char* GetOneName(CertName* name, int idx) default: return 0; } - - return 0; } @@ -3220,8 +3228,6 @@ static byte GetNameId(int idx) default: return 0; } - - return 0; } @@ -3508,7 +3514,8 @@ static int WriteCertBody(DerCert* der, byte* buffer) idx += der->publicKeySz; if (der->extensionsSz) { /* extensions */ - XMEMCPY(buffer + idx, der->extensions, der->extensionsSz); + XMEMCPY(buffer + idx, der->extensions, min(der->extensionsSz, + sizeof(der->extensions))); idx += der->extensionsSz; } diff --git a/ctaocrypt/src/coding.c b/ctaocrypt/src/coding.c index f72a56467..63edc6a66 100644 --- a/ctaocrypt/src/coding.c +++ b/ctaocrypt/src/coding.c @@ -54,6 +54,7 @@ int Base64_Decode(const byte* in, word32 inLen, byte* out, word32* outLen) word32 i = 0; word32 j = 0; word32 plainSz = inLen - ((inLen + (PEM_LINE_SZ - 1)) / PEM_LINE_SZ ); + const byte maxIdx = (byte)sizeof(base64Decode) + 0x2B - 1; plainSz = (plainSz * 3 + 3) / 4; if (plainSz > *outLen) return BAD_FUNC_ARG; @@ -75,6 +76,16 @@ int Base64_Decode(const byte* in, word32 inLen, byte* out, word32* outLen) if (e4 == PAD) pad4 = 1; + if (e1 < 0x2B || e2 < 0x2B || e3 < 0x2B || e4 < 0x2B) { + CYASSL_MSG("Bad Base64 Decode data, too small"); + return ASN_INPUT_E; + } + + if (e1 > maxIdx || e2 > maxIdx || e3 > maxIdx || e4 > maxIdx) { + CYASSL_MSG("Bad Base64 Decode data, too big"); + return ASN_INPUT_E; + } + e1 = base64Decode[e1 - 0x2B]; e2 = base64Decode[e2 - 0x2B]; e3 = (e3 == PAD) ? 0 : base64Decode[e3 - 0x2B]; diff --git a/ctaocrypt/src/integer.c b/ctaocrypt/src/integer.c index 996dad062..72f443ffc 100644 --- a/ctaocrypt/src/integer.c +++ b/ctaocrypt/src/integer.c @@ -2762,6 +2762,9 @@ int fast_s_mp_sqr (mp_int * a, mp_int * b) } } + if (pa > MP_WARRAY) + return MP_RANGE; /* TAO range check */ + #ifdef CYASSL_SMALL_STACK W = (mp_digit*)XMALLOC(sizeof(mp_digit) * MP_WARRAY, 0, DYNAMIC_TYPE_BIGINT); if (W == NULL) @@ -2878,6 +2881,8 @@ int fast_s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs) /* number of output digits to produce */ pa = MIN(digs, a->used + b->used); + if (pa > MP_WARRAY) + return MP_RANGE; /* TAO range check */ #ifdef CYASSL_SMALL_STACK W = (mp_digit*)XMALLOC(sizeof(mp_digit) * MP_WARRAY, 0, DYNAMIC_TYPE_BIGINT); @@ -3598,6 +3603,9 @@ int fast_s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs) } } + if (pa > MP_WARRAY) + return MP_RANGE; /* TAO range check */ + #ifdef CYASSL_SMALL_STACK W = (mp_digit*)XMALLOC(sizeof(mp_digit) * MP_WARRAY, 0, DYNAMIC_TYPE_BIGINT); if (W == NULL) diff --git a/src/internal.c b/src/internal.c index 4e807f1bd..27157dae7 100644 --- a/src/internal.c +++ b/src/internal.c @@ -2822,7 +2822,7 @@ static int BuildMessage(CYASSL* ssl, byte* output, const byte* input, int inSz, /* write to output */ if (ivSz) { - XMEMCPY(output + idx, iv, ivSz); + XMEMCPY(output + idx, iv, min(ivSz, sizeof(iv))); idx += ivSz; } XMEMCPY(output + idx, input, inSz); @@ -4235,7 +4235,7 @@ int SetCipherList(Suites* s, const char* list) i += RAN_LEN; b = input[i++]; if (b) { - XMEMCPY(ssl->arrays.sessionID, input + i, b); + XMEMCPY(ssl->arrays.sessionID, input + i, min(b, ID_LEN)); i += b; ssl->options.haveSessionId = 1; } @@ -4506,7 +4506,7 @@ int SetCipherList(Suites* s, const char* list) encSigSz = EncodeSignature(encodedSig, digest, digestSz, typeH); if (encSigSz != (word32)ret || XMEMCMP(out, encodedSig, - encSigSz) != 0) + min(encSigSz, MAX_ENCODED_SIG_SZ)) != 0) return VERIFY_SIGN_ERROR; } else { @@ -4673,7 +4673,7 @@ int SetCipherList(Suites* s, const char* list) /* precede export with 1 byte length */ ret = ecc_export_x963(&myKey, encSecret + 1, &size); - encSecret[0] = size; + encSecret[0] = (byte)size; encSz = size + 1; if (ret != 0) @@ -6139,12 +6139,13 @@ int SetCipherList(Suites* s, const char* list) sigSz = EncodeSignature(encodedSig, digest, digestSz, typeH); - if (outLen == (int)sigSz && XMEMCMP(out, encodedSig,sigSz) == 0) + if (outLen == (int)sigSz && XMEMCMP(out, encodedSig, + min(sigSz, MAX_ENCODED_SIG_SZ)) == 0) ret = 0; /* verified */ } else { if (outLen == sizeof(ssl->certHashes) && XMEMCMP(out, - ssl->certHashes.md5, sizeof(ssl->certHashes)) == 0) + &ssl->certHashes, sizeof(ssl->certHashes)) == 0) ret = 0; /* verified */ } } diff --git a/src/tls.c b/src/tls.c index dfeab8147..447f0d819 100644 --- a/src/tls.c +++ b/src/tls.c @@ -33,6 +33,16 @@ #ifndef NO_TLS +#ifndef min + + static INLINE word32 min(word32 a, word32 b) + { + return a > b ? b : a; + } + +#endif /* min */ + + /* calculate XOR for TLSv1 PRF */ static INLINE void get_xor(byte *digest, word32 digLen, byte* md5, byte* sha) { @@ -74,7 +84,7 @@ static void p_hash(byte* result, word32 resLen, const byte* secret, HmacFinal(&hmac, current); if ( (i == lastTime) && lastLen) - XMEMCPY(&result[idx], current, lastLen); + XMEMCPY(&result[idx], current, min(lastLen, sizeof(current))); else { XMEMCPY(&result[idx], current, len); idx += len;