commit f48d6f232092bc09e64c239f8bc511059f42c0f9
author Gilles Peskine <Gilles.Peskine@arm.com> Tue Nov 05 17:31:36 2019 +0100
committer Gilles Peskine <Gilles.Peskine@arm.com> Tue Nov 12 13:21:53 2019 +0100
tree e6dcc5813e47bc020d2e411653af610a3d0d1725
parent b22a24b23f7807fa406c61aa64a4d4fbbde18ffe

Add sanity checks for the mbedtls_pk_sign output size

mbedtls_pk_sign does not take the size of its output buffer as a
parameter. We guarantee that MBEDTLS_PK_SIGNATURE_MAX_SIZE is enough.
For RSA and ECDSA signatures made in software, this is ensured by the
way MBEDTLS_PK_SIGNATURE_MAX_SIZE is defined at compile time. For
signatures made through RSA-alt and PSA, this is not guaranteed
robustly at compile time, but we can test it at runtime, so do that.

library/pk_wrap.c

diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index 5a699c0..7ffb2c0 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -774,6 +774,8 @@
 #endif /* SIZE_MAX > UINT_MAX */
 
     *sig_len = rsa_alt->key_len_func( rsa_alt->key );
+    if( *sig_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
 
     return( rsa_alt->sign_func( rsa_alt->key, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
                 md_alg, (unsigned int) hash_len, hash, sig ) );
@@ -1017,6 +1019,8 @@
         return( mbedtls_psa_err_translate_pk( status ) );
     buf_len = MBEDTLS_ECDSA_MAX_SIG_LEN( psa_get_key_bits( &attributes ) );
     psa_reset_key_attributes( &attributes );
+    if( *sig_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
 
     /* make the signature */
     status = psa_asymmetric_sign( *key, alg, hash, hash_len,