projects / silc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c8cad7c)
Fixed possible buffer overflow in PKCS#1 message decoding. silc.client.1.1.4 silc.server.1.1.2 silc.toolkit.1.1.7
authorPekka Riikonen <priikone@silcnet.org>
Thu, 20 Mar 2008 06:35:48 +0000 (08:35 +0200)
committerPekka Riikonen <priikone@silcnet.org>
Thu, 20 Mar 2008 06:35:48 +0000 (08:35 +0200)
Vulnerability reported by Core Security Technologies.  Thanks.

lib/silccrypt/silcpkcs1.c patch | blob | history

diff --git a/lib/silccrypt/silcpkcs1.c b/lib/silccrypt/silcpkcs1.c
index 283f1ab38747f060aade42d1126c187430cfa860..0a75f800cc6ac0e17618ff01f84de40be75f61ec 100644 (file)
--- a/lib/silccrypt/silcpkcs1.c
+++ b/lib/silccrypt/silcpkcs1.c
@@ -108,7 +108,7 @@ SilcBool silc_pkcs1_decode(SilcPkcs1BlockType bt,
                           SilcUInt32 dest_data_size,
                           SilcUInt32 *dest_len)
 {
                           SilcUInt32 dest_data_size,
                           SilcUInt32 *dest_len)
 {
-  int i = 0;
+  SilcUInt32 i = 0;
 
   SILC_LOG_DEBUG(("PKCS#1 decoding, bt %d", bt));
 
 
   SILC_LOG_DEBUG(("PKCS#1 decoding, bt %d", bt));
 
@@ -141,11 +141,19 @@ SilcBool silc_pkcs1_decode(SilcPkcs1BlockType bt,
   }
 
   /* Sanity checks */
   }
 
   /* Sanity checks */
+  if (i >= data_len) {
+    SILC_LOG_DEBUG(("Malformed block"));
+    return FALSE;
+  }
+  if (i < SILC_PKCS1_MIN_PADDING) {
+    SILC_LOG_DEBUG(("Malformed block"));
+    return FALSE;
+  }
   if (data[i++] != 0x00) {
     SILC_LOG_DEBUG(("Malformed block"));
     return FALSE;
   }
   if (data[i++] != 0x00) {
     SILC_LOG_DEBUG(("Malformed block"));
     return FALSE;
   }
-  if (i - 1 < SILC_PKCS1_MIN_PADDING) {
+  if (i >= data_len) {
     SILC_LOG_DEBUG(("Malformed block"));
     return FALSE;
   }
     SILC_LOG_DEBUG(("Malformed block"));
     return FALSE;
   }
SILC - Secure Internet Live Conferencing