diff options
| author | Jack Lloyd <[email protected]> | 2018-11-30 11:33:05 -0500 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2018-11-30 11:33:05 -0500 |
| commit | 2d9a5c1ffa61c2a30cb66518ef2de496467540ed (patch) | |
| tree | 72f9e34852fb72ea435f3a3860a8b2072069f777 /src/fuzzer/mode_padding.cpp | |
| parent | 542975a40e34b92f483468b37589fd448b002732 (diff) | |
Fix a bug in OneAndZeros unpadding
Introduced in b13c0cc8590199d, it could only trigger if the block size
was more than 256 bytes. In that case an invalid padding could be accepted.
OSS-Fuzz 11608 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11608)
Diffstat (limited to 'src/fuzzer/mode_padding.cpp')
| -rw-r--r-- | src/fuzzer/mode_padding.cpp | 51 |
1 files changed, 32 insertions, 19 deletions
diff --git a/src/fuzzer/mode_padding.cpp b/src/fuzzer/mode_padding.cpp index 0819afb72..c366530dd 100644 --- a/src/fuzzer/mode_padding.cpp +++ b/src/fuzzer/mode_padding.cpp @@ -130,25 +130,38 @@ uint16_t ref_tls_cbc_unpad(const uint8_t in[], size_t len) void fuzz(const uint8_t in[], size_t len) { - Botan::PKCS7_Padding pkcs7; - const size_t ct_pkcs7 = pkcs7.unpad(in, len); - const size_t ref_pkcs7 = ref_pkcs7_unpad(in, len); - FUZZER_ASSERT_EQUAL(ct_pkcs7, ref_pkcs7); - - Botan::ANSI_X923_Padding x923; - const size_t ct_x923 = x923.unpad(in, len); - const size_t ref_x923 = ref_x923_unpad(in, len); - FUZZER_ASSERT_EQUAL(ct_x923, ref_x923); - - Botan::OneAndZeros_Padding oneandzero; - const size_t ct_oneandzero = oneandzero.unpad(in, len); - const size_t ref_oneandzero = ref_oneandzero_unpad(in, len); - FUZZER_ASSERT_EQUAL(ct_oneandzero, ref_oneandzero); - - Botan::ESP_Padding esp; - const size_t ct_esp = esp.unpad(in, len); - const size_t ref_esp = ref_esp_unpad(in, len); - FUZZER_ASSERT_EQUAL(ct_esp, ref_esp); + static Botan::PKCS7_Padding pkcs7; + static Botan::ANSI_X923_Padding x923; + static Botan::OneAndZeros_Padding oneandzero; + static Botan::ESP_Padding esp; + + if(pkcs7.valid_blocksize(len)) + { + const size_t ct_pkcs7 = pkcs7.unpad(in, len); + const size_t ref_pkcs7 = ref_pkcs7_unpad(in, len); + FUZZER_ASSERT_EQUAL(ct_pkcs7, ref_pkcs7); + } + + if(x923.valid_blocksize(len)) + { + const size_t ct_x923 = x923.unpad(in, len); + const size_t ref_x923 = ref_x923_unpad(in, len); + FUZZER_ASSERT_EQUAL(ct_x923, ref_x923); + } + + if(oneandzero.valid_blocksize(len)) + { + const size_t ct_oneandzero = oneandzero.unpad(in, len); + const size_t ref_oneandzero = ref_oneandzero_unpad(in, len); + FUZZER_ASSERT_EQUAL(ct_oneandzero, ref_oneandzero); + } + + if(esp.valid_blocksize(len)) + { + const size_t ct_esp = esp.unpad(in, len); + const size_t ref_esp = ref_esp_unpad(in, len); + FUZZER_ASSERT_EQUAL(ct_esp, ref_esp); + } const uint16_t ct_cbc = Botan::TLS::check_tls_cbc_padding(in, len); const uint16_t ref_cbc = ref_tls_cbc_unpad(in, len); |