- Fixed possible heap overflow in pkcs1_decrypt on data larger than output buffer after padding. For instance the premaster decryption in ssl_parse_client_key_exchange() in ssl_serv.c (Thanks to Christophe Devine)

commit: 060c56871cf1b994748aa3bfe83ec75960b61f59 [log] [tgz]
author: Paul Bakker <p.j.bakker@polarssl.org> Mon Jan 12 21:48:39 2009 +0000
committer: Paul Bakker <p.j.bakker@polarssl.org> Mon Jan 12 21:48:39 2009 +0000
tree: a5a900f9e08533e8a601bf2058ee40c422f69a51
parent: c32c6b56ca45734930f639e8730abfaf3907e990 [diff] [blame]
diff --git a/library/rsa.c b/library/rsa.c
index 5236856..211de4e 100644
--- a/library/rsa.c
+++ b/library/rsa.c

@@ -328,7 +328,8 @@
 int rsa_pkcs1_decrypt( rsa_context *ctx,
                        int mode, int *olen,
                        unsigned char *input,
-                       unsigned char *output )
+                       unsigned char *output,
+		       int output_max_len)
 {
     int ret, ilen;
     unsigned char *p;
@@ -369,6 +370,9 @@
             return( POLARSSL_ERR_RSA_INVALID_PADDING );
     }
 
+    if (ilen - (int)(p - buf) > output_max_len)
+    	return( POLARSSL_ERR_RSA_OUTPUT_TO_LARGE );
+
     *olen = ilen - (int)(p - buf);
     memcpy( output, p, *olen );
 
@@ -677,7 +681,8 @@
         printf( "passed\n  PKCS#1 decryption : " );
 
     if( rsa_pkcs1_decrypt( &rsa, RSA_PRIVATE, &len,
-                           rsa_ciphertext, rsa_decrypted ) != 0 )
+                           rsa_ciphertext, rsa_decrypted,
+			   sizeof(rsa_decrypted) ) != 0 )
     {
         if( verbose != 0 )
             printf( "failed\n" );
commit	060c56871cf1b994748aa3bfe83ec75960b61f59	[log] [tgz]
author	Paul Bakker <p.j.bakker@polarssl.org>	Mon Jan 12 21:48:39 2009 +0000
committer	Paul Bakker <p.j.bakker@polarssl.org>	Mon Jan 12 21:48:39 2009 +0000
tree	a5a900f9e08533e8a601bf2058ee40c422f69a51
parent	c32c6b56ca45734930f639e8730abfaf3907e990 [diff] [blame]