From 301c169f9afb364b93011f9870aa4202bd407ae5 Mon Sep 17 00:00:00 2001 From: Jeffrey Walton Date: Wed, 2 Dec 2020 16:40:25 -0500 Subject: Add some signature length validation to DL_VerifierBase Based on testing during GH #981 we found an undersized buffer caused an out-of-bounds read. --- pubkey.h | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'pubkey.h') diff --git a/pubkey.h b/pubkey.h index ea5534f4..51890893 100644 --- a/pubkey.h +++ b/pubkey.h @@ -1714,14 +1714,21 @@ public: void InputSignature(PK_MessageAccumulator &messageAccumulator, const byte *signature, size_t signatureLength) const { - CRYPTOPP_UNUSED(signature); CRYPTOPP_UNUSED(signatureLength); PK_MessageAccumulatorBase &ma = static_cast(messageAccumulator); const DL_ElgamalLikeSignatureAlgorithm &alg = this->GetSignatureAlgorithm(); const DL_GroupParameters ¶ms = this->GetAbstractGroupParameters(); + // Validation due to https://github.com/weidai11/cryptopp/issues/981 + // We allow a caller to provide R and S in oversized buffer. R and S are + // read based on the field element size, and not the buffer size. const size_t rLen = alg.RLen(params); + const size_t sLen = alg.SLen(params); + CRYPTOPP_ASSERT(signatureLength >= rLen + sLen); + if (signatureLength < rLen + sLen) + throw InvalidDataFormat("DL_VerifierBase: signature length is not valid."); + ma.m_semisignature.Assign(signature, rLen); - ma.m_s.Decode(signature+rLen, alg.SLen(params)); + ma.m_s.Decode(signature+rLen, sLen); this->GetMessageEncodingInterface().ProcessSemisignature(ma.AccessHash(), ma.m_semisignature, ma.m_semisignature.size()); } -- cgit v1.2.1