Cipher layer: check iv_len more carefully

commit: e0dca4ad78e4c914592784e086269062555c6fa8 [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Thu Oct 24 16:54:25 2013 +0200
committer: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Thu Oct 24 17:03:39 2013 +0200
tree: 1828b3791d1e686ce7738573795e7a643f6ad60a
parent: c2bd7a2f2f4d33fd33139d0e67424fd5078f41ea [diff] [blame]
diff --git a/library/cipher.c b/library/cipher.c
index 5edc39a..495bd51 100644
--- a/library/cipher.c
+++ b/library/cipher.c

@@ -185,11 +185,21 @@
     if( NULL == ctx || NULL == ctx->cipher_info || NULL == iv )
         return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
 
+    /* avoid buffer overflow in ctx->iv */
+    if( iv_len > POLARSSL_MAX_IV_LENGTH )
+        return POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE;
+
     if( ctx->cipher_info->accepts_variable_iv_size )
         actual_iv_size = iv_len;
     else
+    {
         actual_iv_size = ctx->cipher_info->iv_size;
 
+        /* avoid reading past the end of input buffer */
+        if( actual_iv_size > iv_len )
+            return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
     memcpy( ctx->iv, iv, actual_iv_size );
     ctx->iv_size = actual_iv_size;
commit	e0dca4ad78e4c914592784e086269062555c6fa8	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Thu Oct 24 16:54:25 2013 +0200
committer	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Thu Oct 24 17:03:39 2013 +0200
tree	1828b3791d1e686ce7738573795e7a643f6ad60a
parent	c2bd7a2f2f4d33fd33139d0e67424fd5078f41ea [diff] [blame]