Fixed possible buffer overflow in PKSC#1 message decoding.

author Pekka Riikonen <priikone@silcnet.org>

Thu, 20 Mar 2008 06:38:36 +0000 (08:38 +0200)

committer Pekka Riikonen <priikone@silcnet.org>

Thu, 20 Mar 2008 06:38:36 +0000 (08:38 +0200)
author Pekka Riikonen <priikone@silcnet.org>
Thu, 20 Mar 2008 06:38:36 +0000 (08:38 +0200)
committer Pekka Riikonen <priikone@silcnet.org>
Thu, 20 Mar 2008 06:38:36 +0000 (08:38 +0200)
diff --git a/lib/silccrypt/silcpkcs1.c b/lib/silccrypt/silcpkcs1.c

index 347addecbfd59d06647d2b1d67848f7591857a80..653a4d891fbd8d42aa014ff3763b83e14ccd6553 100644 (file)
--- a/lib/silccrypt/silcpkcs1.c
+++ b/lib/silccrypt/silcpkcs1.c
@@ -107,7 +107,7 @@ SilcBool silc_pkcs1_decode(SilcPkcs1BlockType bt,
                            SilcUInt32 dest_data_size,
                            SilcUInt32 *dest_len)
  {
-  int i = 0;
+  SilcUInt32 i = 0;
  
    SILC_LOG_DEBUG(("PKCS#1 decoding, bt %d", bt));
  
@@ -140,12 +140,20 @@ SilcBool silc_pkcs1_decode(SilcPkcs1BlockType bt,
    }
  
    /* Sanity checks */
+  if (i >= data_len) {
+    SILC_LOG_DEBUG(("Malformed block, too short message"));
+    return FALSE;
+  }
+  if (i < SILC_PKCS1_MIN_PADDING) {
+    SILC_LOG_DEBUG(("Malformed block, too short padding"));
+    return FALSE;
+  }
    if (data[i++] != 0x00) {
      SILC_LOG_DEBUG(("Malformed block"));
      return FALSE;
    }
-  if (i - 1 < SILC_PKCS1_MIN_PADDING) {
-    SILC_LOG_DEBUG(("Malformed block"));
+  if (i >= data_len) {
+    SILC_LOG_DEBUG(("Malformed block, too short message"));
      return FALSE;
    }
    if (dest_data_size < data_len - i) {
author	Pekka Riikonen <priikone@silcnet.org>
	Thu, 20 Mar 2008 06:38:36 +0000 (08:38 +0200)
committer	Pekka Riikonen <priikone@silcnet.org>
	Thu, 20 Mar 2008 06:38:36 +0000 (08:38 +0200)