From 3f7f8170d6ba71da9a9f624ef9da6c9edeb64b50 Mon Sep 17 00:00:00 2001 From: Mohammad Azim Khan Date: Thu, 23 Nov 2017 17:49:05 +0000 Subject: [PATCH 1/2] Check invalid nc_off Uninitialized nc_off value >0xf passed by the caller can cause array out-of-bound. --- include/mbedtls/aes.h | 1 + library/aes.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h index 46016dcb7..d252930fd 100644 --- a/include/mbedtls/aes.h +++ b/include/mbedtls/aes.h @@ -49,6 +49,7 @@ /* Error codes in range 0x0020-0x0022 */ #define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH -0x0020 /**< Invalid key length. */ #define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH -0x0022 /**< Invalid data input length. */ +#define MBEDTLS_ERR_AES_BAD_INPUT_DATA -0x0024 /**< Invalid input data. */ /* Error codes in range 0x0023-0x0025 */ #define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE -0x0023 /**< Feature not available. For example, an unsupported AES key size. */ diff --git a/library/aes.c b/library/aes.c index da94b1943..3bb851520 100644 --- a/library/aes.c +++ b/library/aes.c @@ -1082,6 +1082,9 @@ int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx, int c, i; size_t n = *nc_off; + if ( n > 0x0F ) + return( MBEDTLS_ERR_AES_BAD_INPUT_DATA ); + while( length-- ) { if( n == 0 ) { From e5b5bd7a400391f3730a43f6191d7c5e7f89bf21 Mon Sep 17 00:00:00 2001 From: Mohammad Azim Khan Date: Fri, 24 Nov 2017 10:52:51 +0000 Subject: [PATCH 2/2] Allocate a unique err code for MBEDTLS_ERR_AES_BAD_INPUT_DATA --- include/mbedtls/aes.h | 4 ++-- include/mbedtls/error.h | 2 +- library/error.c | 2 ++ 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h index d252930fd..8b9280d97 100644 --- a/include/mbedtls/aes.h +++ b/include/mbedtls/aes.h @@ -49,9 +49,9 @@ /* Error codes in range 0x0020-0x0022 */ #define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH -0x0020 /**< Invalid key length. */ #define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH -0x0022 /**< Invalid data input length. */ -#define MBEDTLS_ERR_AES_BAD_INPUT_DATA -0x0024 /**< Invalid input data. */ -/* Error codes in range 0x0023-0x0025 */ +/* Error codes in range 0x0021-0x0025 */ +#define MBEDTLS_ERR_AES_BAD_INPUT_DATA -0x0021 /**< Invalid input data. */ #define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE -0x0023 /**< Feature not available. For example, an unsupported AES key size. */ #define MBEDTLS_ERR_AES_HW_ACCEL_FAILED -0x0025 /**< AES hardware accelerator failed. */ diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 8b4d3a875..786d02e32 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -53,7 +53,7 @@ * GCM 3 0x0012-0x0014 0x0013-0x0013 * BLOWFISH 3 0x0016-0x0018 0x0017-0x0017 * THREADING 3 0x001A-0x001E - * AES 4 0x0020-0x0022 0x0023-0x0025 + * AES 5 0x0020-0x0022 0x0021-0x0025 * CAMELLIA 3 0x0024-0x0026 0x0027-0x0027 * XTEA 2 0x0028-0x0028 0x0029-0x0029 * BASE64 2 0x002A-0x002C diff --git a/library/error.c b/library/error.c index 96ab20376..37058254c 100644 --- a/library/error.c +++ b/library/error.c @@ -572,6 +572,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "AES - Invalid key length" ); if( use_ret == -(MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH) ) mbedtls_snprintf( buf, buflen, "AES - Invalid data input length" ); + if( use_ret == -(MBEDTLS_ERR_AES_BAD_INPUT_DATA) ) + mbedtls_snprintf( buf, buflen, "AES - Invalid input data" ); if( use_ret == -(MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE) ) mbedtls_snprintf( buf, buflen, "AES - Feature not available. For example, an unsupported AES key size" ); if( use_ret == -(MBEDTLS_ERR_AES_HW_ACCEL_FAILED) )