TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 0ea57e8c7a3acec0feb67aa629716112298ed707^! / .
commit0ea57e8c7a3acec0feb67aa629716112298ed707[log] [tgz]
authorPaul Bakker <p.j.bakker@polarssl.org>Thu Jul 05 13:58:08 2012 +0000
committerPaul Bakker <p.j.bakker@polarssl.org>Mon Jan 14 17:36:47 2013 +0100
tree501d84bebc60893e53c44db8fb9f8fb7303b9d8e
parent9a120fd4f73ddff5f0cf32b79625bf3e30977f69 [diff]
Fixed potential memory zeroization on miscrafted RSA key
(cherry picked from commit 3c16db9a10a3087e1611cd8ffb9ca564c0e9cf60)

Conflicts:
	ChangeLog (Moved message to 'Branch 1.1')

diff --git a/ChangeLog b/ChangeLog
index 3f1658d..53f0add 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -1,5 +1,10 @@
 PolarSSL ChangeLog
 
+= Branch 1.1
+Security
+   * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
+     Vanderbeken)
+
 = Version 1.1.4 released on 2012-05-31
 Bugfix
    * Correctly handle empty SSL/TLS packets (Found by James Yonan)

diff --git a/library/rsa.c b/library/rsa.c
index ed1f45b..278686b 100644
--- a/library/rsa.c
+++ b/library/rsa.c

@@ -646,7 +646,7 @@
                     return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
             }
 
-            if( nb_pad < 8 )
+            if( ( nb_pad < 8 ) || ( nb_pad > olen ) )
                 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
 
             *p++ = 0;