projects / platform / core / security / yaca.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 725304a)
Fix segfault found by fuzzer. 77/255377/1 accepted/tizen_5.5_unified tizen_5.5 accepted/tizen/5.5/unified/20210318.001936 submit/tizen_5.5/20210317.122023
authorDariusz Michaluk <d.michaluk@samsung.com>
Fri, 12 Mar 2021 18:26:53 +0000 (19:26 +0100)
committerDariusz Michaluk <d.michaluk@samsung.com>
Wed, 17 Mar 2021 11:46:53 +0000 (12:46 +0100)
Unsigned int(input_len) is casted to int(flen), this can lead to using negative value,
unfortunately openssl doesn't check it.

According to openssl documentation, input_len is limited by RSA key size,
let's validate it in yaca to avoid segfault.

Change-Id: I8e821b94794f1b5d7231df16c591fe88c12c84e2

src/rsa.c patch | blob | history

diff --git a/src/rsa.c b/src/rsa.c
index 7fbb6e4..336d1f7 100644 (file)
--- a/src/rsa.c
+++ b/src/rsa.c
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2016-2021 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *  Contact: Krzysztof Jackiewicz <k.jackiewicz@samsung.com>
  *
@@ -89,6 +89,9 @@ static int encrypt_decrypt(yaca_padding_e padding,
 
        max_len = ret;
 
+       if (input_len > max_len)
+               return YACA_ERROR_INVALID_PARAMETER;
+
        ret = yaca_zalloc(max_len, (void**)&loutput);
        if (ret != YACA_ERROR_NONE)
                return ret;
Domain: Security / Utilities;