From 4728469f53bcc1dbdd7fc338572e822eeb263034 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Wed, 6 Feb 2019 10:44:56 +0000 Subject: [PATCH] rsa: Re-enable use of zero-length null output After merging the latest RSA implementation from Mbed TLS, we have a regression in that we no longer properly handle zero-length null output in PKCS1 v1.5 decryption. Prevent undefined behavior by avoiding a memcpy() to zero-length null output buffers. --- library/rsa.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index b68018829..25544aa04 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -1624,9 +1624,15 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, plaintext_max_size, plaintext_max_size - plaintext_size ); - /* Finally copy the decrypted plaintext plus trailing zeros - * into the output buffer. */ - memcpy( output, buf + ilen - plaintext_max_size, plaintext_max_size ); + /* Finally copy the decrypted plaintext plus trailing zeros into the output + * buffer. If output_max_len is 0, then output may be an invalid pointer + * and the result of memcpy() would be undefined; prevent undefined + * behavior making sure to depend only on output_max_len (the size of the + * user-provided output buffer), which is independent from plaintext + * length, validity of padding, success of the decryption, and other + * secrets. */ + if( output_max_len != 0 ) + memcpy( output, buf + ilen - plaintext_max_size, plaintext_max_size ); /* Report the amount of data we copied to the output buffer. In case * of errors (bad padding or output too large), the value of *olen