From 689a6272153f44b23c1702a09b6db32b79adbd72 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 18 Mar 2016 11:45:44 +0000 Subject: [PATCH] Fix null pointer dereference in the RSA module. Introduced null pointer checks in mbedtls_rsa_rsaes_pkcs1_v15_encrypt --- ChangeLog | 2 ++ library/rsa.c | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 4e11654b1..a2fae0d41 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,8 @@ Bugfix * Fix bug in mbedtls_x509_crt_parse that caused trailing extra data in the buffer after DER certificates to be included in the raw representation. * Fix issue that caused a hang when generating RSA keys of odd bitlength + * Fix bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt that made null pointer + dereference possible. Changes * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5, diff --git a/library/rsa.c b/library/rsa.c index a4ad66449..5f9bee35e 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -590,7 +590,8 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - if( f_rng == NULL ) + // We don't check p_rng because it won't be dereferenced here + if( f_rng == NULL || input == NULL || output == NULL ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); olen = ctx->len;