Fix null pointer dereference in the RSA module. Introduced null pointer checks in mbedtls_rsa_rsaes_pkcs1_v15_encrypt

commit: 689a6272153f44b23c1702a09b6db32b79adbd72 [log] [tgz]
author: Janos Follath <janos.follath@arm.com> Fri Mar 18 11:45:44 2016 +0000
committer: Simon Butcher <simon.butcher@arm.com> Tue Apr 19 10:20:59 2016 +0100
tree: a5cb9e1bae8721a2c096da5ff1ae1db624de08ac
parent: 0705dd0588e1178d49574a5526504926e846a6ed [diff]
diff --git a/ChangeLog b/ChangeLog
index 4e11654..a2fae0d 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -10,6 +10,8 @@
    * Fix bug in mbedtls_x509_crt_parse that caused trailing extra data in the
      buffer after DER certificates to be included in the raw representation.
    * Fix issue that caused a hang when generating RSA keys of odd bitlength
+   * Fix bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt that made null pointer
+     dereference possible.
 
 Changes
    * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,

diff --git a/library/rsa.c b/library/rsa.c
index a4ad664..5f9bee3 100644
--- a/library/rsa.c
+++ b/library/rsa.c

@@ -590,7 +590,8 @@
     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
 
-    if( f_rng == NULL )
+    // We don't check p_rng because it won't be dereferenced here
+    if( f_rng == NULL || input == NULL || output == NULL )
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
 
     olen = ctx->len;
commit	689a6272153f44b23c1702a09b6db32b79adbd72	[log] [tgz]
author	Janos Follath <janos.follath@arm.com>	Fri Mar 18 11:45:44 2016 +0000
committer	Simon Butcher <simon.butcher@arm.com>	Tue Apr 19 10:20:59 2016 +0100
tree	a5cb9e1bae8721a2c096da5ff1ae1db624de08ac
parent	0705dd0588e1178d49574a5526504926e846a6ed [diff]