commit b46e6adb9ce3e7e4ddfb702c546d185fa9bf99f8
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Jun 18 11:29:30 2014 +0200
committer Paul Bakker <p.j.bakker@polarssl.org> Wed Jun 25 11:26:11 2014 +0200
tree d8dc42a29e2825b403d5230b98c78d32d353a52e
parent 0bcc4e1df78fff6d15c3ecb521e3bd0bbee86e1c

Check input lengths in GCM

library/gcm.c

diff --git a/library/gcm.c b/library/gcm.c
index 4e40fbf..d4c68ae 100644
--- a/library/gcm.c
+++ b/library/gcm.c
@@ -266,6 +266,13 @@
     const unsigned char *p;
     size_t use_len, olen = 0;
 
+    /* IV and AD are limited to 2^64 bits, so 2^61 bytes */
+    if( ( (uint64_t) iv_len  ) >> 61 != 0 ||
+        ( (uint64_t) add_len ) >> 61 != 0 )
+    {
+        return( POLARSSL_ERR_GCM_BAD_INPUT );
+    }
+
     memset( ctx->y, 0x00, sizeof(ctx->y) );
     memset( ctx->buf, 0x00, sizeof(ctx->buf) );
 
@@ -342,6 +349,14 @@
     if( output > input && (size_t) ( output - input ) < length )
         return( POLARSSL_ERR_GCM_BAD_INPUT );
 
+    /* Total length is restricted to 2^39 - 256 bits, ie 2^36 - 2^5 bytes
+     * Also check for possible overflow */
+    if( ctx->len + length < ctx->len ||
+        (uint64_t) ctx->len + length > 0x03FFFFE0llu )
+    {
+        return( POLARSSL_ERR_GCM_BAD_INPUT );
+    }
+
     ctx->len += length;
 
     p = input;
@@ -387,7 +402,7 @@
     uint64_t orig_len = ctx->len * 8;
     uint64_t orig_add_len = ctx->add_len * 8;
 
-    if( tag_len > 16 )
+    if( tag_len > 16 || tag_len < 4 )
         return( POLARSSL_ERR_GCM_BAD_INPUT );
 
     if( tag_len != 0 )