commit 060c56871cf1b994748aa3bfe83ec75960b61f59
author Paul Bakker <p.j.bakker@polarssl.org> Mon Jan 12 21:48:39 2009 +0000
committer Paul Bakker <p.j.bakker@polarssl.org> Mon Jan 12 21:48:39 2009 +0000
tree a5a900f9e08533e8a601bf2058ee40c422f69a51
parent c32c6b56ca45734930f639e8730abfaf3907e990

 - Fixed possible heap overflow in pkcs1_decrypt on data larger than output
   buffer after padding. For instance the premaster decryption in
   ssl_parse_client_key_exchange() in ssl_serv.c (Thanks to Christophe
   Devine)

include/polarssl/rsa.h

diff --git a/include/polarssl/rsa.h b/include/polarssl/rsa.h
index abca193..f02df5a 100644
--- a/include/polarssl/rsa.h
+++ b/include/polarssl/rsa.h
@@ -31,6 +31,7 @@
 #define POLARSSL_ERR_RSA_PUBLIC_FAILED                     -0x0440
 #define POLARSSL_ERR_RSA_PRIVATE_FAILED                    -0x0450
 #define POLARSSL_ERR_RSA_VERIFY_FAILED                     -0x0460
+#define POLARSSL_ERR_RSA_OUTPUT_TO_LARGE                   -0x0470
 
 /*
  * PKCS#1 constants
@@ -216,16 +217,19 @@
  * \param input    buffer holding the encrypted data
  * \param output   buffer that will hold the plaintext
  * \param olen     will contain the plaintext length
+ * \param output_max_len	maximum length of the output buffer
  *
  * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
  *
  * \note           The output buffer must be as large as the size
- *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
+ *                 of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
+ *                 an error is thrown.
  */
 int rsa_pkcs1_decrypt( rsa_context *ctx,
                        int mode, int *olen,
                        unsigned char *input,
-                       unsigned char *output );
+                       unsigned char *output,
+		       int output_max_len);
 
 /**
  * \brief          Do a private RSA to sign a message digest

library/rsa.c

diff --git a/library/rsa.c b/library/rsa.c
index 5236856..211de4e 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -328,7 +328,8 @@
 int rsa_pkcs1_decrypt( rsa_context *ctx,
                        int mode, int *olen,
                        unsigned char *input,
-                       unsigned char *output )
+                       unsigned char *output,
+		       int output_max_len)
 {
     int ret, ilen;
     unsigned char *p;
@@ -369,6 +370,9 @@
             return( POLARSSL_ERR_RSA_INVALID_PADDING );
     }
 
+    if (ilen - (int)(p - buf) > output_max_len)
+    	return( POLARSSL_ERR_RSA_OUTPUT_TO_LARGE );
+
     *olen = ilen - (int)(p - buf);
     memcpy( output, p, *olen );
 
@@ -677,7 +681,8 @@
         printf( "passed\n  PKCS#1 decryption : " );
 
     if( rsa_pkcs1_decrypt( &rsa, RSA_PRIVATE, &len,
-                           rsa_ciphertext, rsa_decrypted ) != 0 )
+                           rsa_ciphertext, rsa_decrypted,
+			   sizeof(rsa_decrypted) ) != 0 )
     {
         if( verbose != 0 )
             printf( "failed\n" );

library/ssl_srv.c

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index cb8d140..a8b9022 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -726,7 +726,8 @@
         }
 
         ret = rsa_pkcs1_decrypt( ssl->rsa_key, RSA_PRIVATE, &ssl->pmslen,
-                                 ssl->in_msg + i, ssl->premaster );
+                                 ssl->in_msg + i, ssl->premaster,
+				 sizeof(ssl->premaster) );
 
         if( ret != 0 || ssl->pmslen != 48 ||
             ssl->premaster[0] != ssl->max_major_ver ||