From f00636919e0008c3e1fbb0f76c17fbc4595a7549 Mon Sep 17 00:00:00 2001 From: Josh Holtrop Date: Wed, 25 Mar 2026 15:56:42 -0400 Subject: [PATCH] Rust wrapper: check kdr_index range in srtp_kdf() and srtcp_kdf() Fix F-1257 --- wrapper/rust/wolfssl-wolfcrypt/src/kdf.rs | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/wrapper/rust/wolfssl-wolfcrypt/src/kdf.rs b/wrapper/rust/wolfssl-wolfcrypt/src/kdf.rs index 9f58673069..4fdecb7e6b 100644 --- a/wrapper/rust/wolfssl-wolfcrypt/src/kdf.rs +++ b/wrapper/rust/wolfssl-wolfcrypt/src/kdf.rs @@ -584,6 +584,11 @@ pub fn ssh_kdf(typ: i32, key_id: u8, k: &[u8], h: &[u8], session_id: &[u8], key: #[cfg(kdf_srtp)] pub fn srtp_kdf(key: &[u8], salt: &[u8], kdr_index: i32, idx: &[u8], key1: &mut [u8], key2: &mut [u8], key3: &mut [u8]) -> Result<(), i32> { + if !(kdr_index == -1 || (0 <= kdr_index && (kdr_index as usize) <= idx.len() * 8)) { + // The kdr_index value must be either -1 or the number of bits that + // will be read from the idx slice. + return Err(sys::wolfCrypt_ErrorCodes_BAD_FUNC_ARG); + } let key_size = key.len() as u32; let salt_size = salt.len() as u32; let key1_size = key1.len() as u32; @@ -684,6 +689,11 @@ pub fn srtp_kdf_label(key: &[u8], salt: &[u8], kdr_index: i32, idx: &[u8], #[cfg(kdf_srtp)] pub fn srtcp_kdf(key: &[u8], salt: &[u8], kdr_index: i32, idx: &[u8], key1: &mut [u8], key2: &mut [u8], key3: &mut [u8]) -> Result<(), i32> { + if !(kdr_index == -1 || (0 <= kdr_index && (kdr_index as usize) <= idx.len() * 8)) { + // The kdr_index value must be either -1 or the number of bits that + // will be read from the idx slice. + return Err(sys::wolfCrypt_ErrorCodes_BAD_FUNC_ARG); + } let key_size = key.len() as u32; let salt_size = salt.len() as u32; let key1_size = key1.len() as u32;