Skip to content

Commit b5c5327

Browse files
dgarskedgarske
authored
Merge pull request #9954 from kareem-wolfssl/gh9951
Fix potential overflows in used size calculation in generic, TI and SE050 hash functions.
2 parents da635c9 + 0b26791 commit b5c5327

3 files changed

Lines changed: 32 additions & 18 deletions

File tree

wolfcrypt/src/hash.c

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1954,12 +1954,17 @@ int wc_HashGetFlags(wc_HashAlg* hash, enum wc_HashType type, word32* flags)
19541954
int _wc_Hash_Grow(byte** msg, word32* used, word32* len, const byte* in,
19551955
int inSz, void* heap)
19561956
{
1957-
if (*len < *used + inSz) {
1957+
word32 usedSz = 0;
1958+
1959+
if (inSz <= 0 || !WC_SAFE_SUM_WORD32(*used, (word32)inSz, usedSz))
1960+
return BAD_FUNC_ARG;
1961+
1962+
if (*len < usedSz) {
19581963
if (*msg == NULL) {
1959-
*msg = (byte*)XMALLOC(*used + inSz, heap, DYNAMIC_TYPE_TMP_BUFFER);
1964+
*msg = (byte*)XMALLOC(usedSz, heap, DYNAMIC_TYPE_TMP_BUFFER);
19601965
}
19611966
else {
1962-
byte* pt = (byte*)XREALLOC(*msg, *used + inSz, heap,
1967+
byte* pt = (byte*)XREALLOC(*msg, usedSz, heap,
19631968
DYNAMIC_TYPE_TMP_BUFFER);
19641969
if (pt == NULL) {
19651970
return MEMORY_E;
@@ -1969,7 +1974,7 @@ int _wc_Hash_Grow(byte** msg, word32* used, word32* len, const byte* in,
19691974
if (*msg == NULL) {
19701975
return MEMORY_E;
19711976
}
1972-
*len = *used + inSz;
1977+
*len = usedSz;
19731978
}
19741979
XMEMCPY(*msg + *used, in, inSz);
19751980
*used += inSz;

wolfcrypt/src/port/nxp/se050_port.c

Lines changed: 13 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -266,33 +266,38 @@ int se050_hash_copy(SE050_HASH_Context* src, SE050_HASH_Context* dst)
266266

267267
int se050_hash_update(SE050_HASH_Context* se050Ctx, const byte* data, word32 len)
268268
{
269-
byte* tmp = NULL;
269+
byte* tmp = NULL;
270+
word32 usedSz = 0;
270271

271-
if (se050Ctx == NULL || (len > 0 && data == NULL)) {
272+
if (se050Ctx == NULL || (len > 0 && data == NULL) || (len == 0) ||
273+
!WC_SAFE_SUM_WORD32(se050Ctx->used, len, usedSz)) {
272274
return BAD_FUNC_ARG;
273275
}
274276

275-
if (se050Ctx->len < se050Ctx->used + len) {
277+
if (se050Ctx->len < usedSz) {
276278
if (se050Ctx->msg == NULL) {
277-
se050Ctx->msg = (byte*)XMALLOC(se050Ctx->used + len,
279+
se050Ctx->msg = (byte*)XMALLOC(usedSz,
278280
se050Ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
279-
XMEMSET(se050Ctx->msg, 0, se050Ctx->used + len);
281+
if (se050Ctx->msg == NULL) {
282+
return MEMORY_E;
283+
}
284+
XMEMSET(se050Ctx->msg, 0, usedSz);
280285
}
281286
else {
282-
tmp = (byte*)XMALLOC(se050Ctx->used + len, se050Ctx->heap,
287+
tmp = (byte*)XMALLOC(usedSz, se050Ctx->heap,
283288
DYNAMIC_TYPE_TMP_BUFFER);
284289
if (tmp == NULL) {
285290
return MEMORY_E;
286291
}
287-
XMEMSET(tmp, 0, se050Ctx->used + len);
292+
XMEMSET(tmp, 0, usedSz);
288293
XMEMCPY(tmp, se050Ctx->msg, se050Ctx->used);
289294
XFREE(se050Ctx->msg, se050Ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
290295
se050Ctx->msg = tmp;
291296
}
292297
if (se050Ctx->msg == NULL) {
293298
return MEMORY_E;
294299
}
295-
se050Ctx->len = se050Ctx->used + len;
300+
se050Ctx->len = usedSz;
296301
}
297302

298303
XMEMCPY(se050Ctx->msg + se050Ctx->used, data, len);

wolfcrypt/src/port/ti/ti-hash.c

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -75,18 +75,22 @@ static int hashInit(wolfssl_TI_Hash *hash)
7575
static int hashUpdate(wolfssl_TI_Hash *hash, const byte* data, word32 len)
7676
{
7777
void *p;
78+
word32 usedSz = 0;
7879

79-
if ((hash== NULL) || (data == NULL))return BAD_FUNC_ARG;
80+
if ((hash == NULL) || (data == NULL) || (len == 0) ||
81+
!WC_SAFE_SUM_WORD32(hash->used, len, usedSz))
82+
return BAD_FUNC_ARG;
8083

81-
if (hash->len < hash->used+len) {
84+
if (hash->len < usedSz) {
8285
if (hash->msg == NULL) {
83-
p = XMALLOC(hash->used+len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
86+
p = XMALLOC(usedSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8487
} else {
85-
p = XREALLOC(hash->msg, hash->used+len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
88+
p = XREALLOC(hash->msg, usedSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8689
}
87-
if (p == 0)return 1;
90+
if (p == 0)
91+
return MEMORY_E;
8892
hash->msg = p;
89-
hash->len = hash->used+len;
93+
hash->len = usedSz;
9094
}
9195
XMEMCPY(hash->msg+hash->used, data, len);
9296
hash->used += len;

0 commit comments

Comments
 (0)