Fix segfault found by fuzzer. 63/255163/1 accepted/tizen_6.5_unified tizen_6.5 accepted/tizen/6.5/unified/20211028.114551 accepted/tizen/unified/20210318.055920 submit/tizen/20210317.121852 submit/tizen_6.5/20211028.162401 tizen_6.5.m2_release
authorDariusz Michaluk <d.michaluk@samsung.com>
Fri, 12 Mar 2021 18:26:53 +0000 (19:26 +0100)
committerDariusz Michaluk <d.michaluk@samsung.com>
Fri, 12 Mar 2021 19:04:09 +0000 (20:04 +0100)
Unsigned int(input_len) is casted to int(flen), this can lead to using negative value,
unfortunately openssl doesn't check it.

According to openssl documentation, input_len is limited by RSA key size,
let's validate it in yaca to avoid segfault.

Change-Id: I8e821b94794f1b5d7231df16c591fe88c12c84e2

src/rsa.c
tests/test_rsa.cpp

index cbd951b..054db73 100644 (file)
--- a/src/rsa.c
+++ b/src/rsa.c
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2016-2020 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2016-2021 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *  Contact: Krzysztof Jackiewicz <k.jackiewicz@samsung.com>
  *
@@ -94,6 +94,9 @@ static int encrypt_decrypt(yaca_padding_e padding,
 
        max_len = ret;
 
+       if (input_len > max_len)
+               return YACA_ERROR_INVALID_PARAMETER;
+
        ret = yaca_zalloc(max_len, (void**)&loutput);
        if (ret != YACA_ERROR_NONE)
                return ret;
index 0f9e095..105c77c 100644 (file)
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2020 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2020-2021 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *  Contact: Lukasz Pawelczyk <l.pawelczyk@samsung.com>
  *
@@ -24,6 +24,7 @@
 
 #include <boost/test/unit_test.hpp>
 #include <vector>
+#include <limits>
 
 #include <yaca_crypto.h>
 #include <yaca_rsa.h>
@@ -452,6 +453,11 @@ BOOST_FIXTURE_TEST_CASE(T404__negative__public_encrypt, InitDebugFixture)
        BOOST_REQUIRE(ret == YACA_ERROR_INVALID_PARAMETER);
 
        ret = yaca_rsa_public_encrypt(YACA_PADDING_NONE, key_pub,
+                                                                 INPUT_DATA, UINT_MAX,
+                                                                 &encrypted, &encrypted_len);
+       BOOST_REQUIRE(ret == YACA_ERROR_INVALID_PARAMETER);
+
+       ret = yaca_rsa_public_encrypt(YACA_PADDING_NONE, key_pub,
                                                                  INPUT_DATA, input_len,
                                                                  NULL, &encrypted_len);
        BOOST_REQUIRE(ret == YACA_ERROR_INVALID_PARAMETER);
@@ -466,6 +472,11 @@ BOOST_FIXTURE_TEST_CASE(T404__negative__public_encrypt, InitDebugFixture)
                                                                  &encrypted_pkcs1, &encrypted_pkcs1_len);
        BOOST_REQUIRE(ret == YACA_ERROR_INVALID_PARAMETER);
 
+       ret = yaca_rsa_public_encrypt(YACA_PADDING_PKCS1, key_pub,
+                                                                 INPUT_DATA, UINT_MAX,
+                                                                 &encrypted_pkcs1, &encrypted_pkcs1_len);
+       BOOST_REQUIRE(ret == YACA_ERROR_INVALID_PARAMETER);
+
        ret = yaca_rsa_public_encrypt(YACA_PADDING_PKCS1_OAEP, key_pub,
                                                                  INPUT_DATA, input_len_pkcs1_oaep + 1,
                                                                  &encrypted_pkcs1_oaep, &encrypted_pkcs1_oaep_len);