diff options
author | Jack Lloyd <[email protected]> | 2018-11-30 11:33:05 -0500 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2018-11-30 11:33:05 -0500 |
commit | 2d9a5c1ffa61c2a30cb66518ef2de496467540ed (patch) | |
tree | 72f9e34852fb72ea435f3a3860a8b2072069f777 /src/lib/modes | |
parent | 542975a40e34b92f483468b37589fd448b002732 (diff) |
Fix a bug in OneAndZeros unpadding
Introduced in b13c0cc8590199d, it could only trigger if the block size
was more than 256 bytes. In that case an invalid padding could be accepted.
OSS-Fuzz 11608 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11608)
Diffstat (limited to 'src/lib/modes')
-rw-r--r-- | src/lib/modes/mode_pad/mode_pad.cpp | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/src/lib/modes/mode_pad/mode_pad.cpp b/src/lib/modes/mode_pad/mode_pad.cpp index 5c949e9cf..be3ecf7dc 100644 --- a/src/lib/modes/mode_pad/mode_pad.cpp +++ b/src/lib/modes/mode_pad/mode_pad.cpp @@ -53,7 +53,7 @@ void PKCS7_Padding::add_padding(secure_vector<uint8_t>& buffer, */ size_t PKCS7_Padding::unpad(const uint8_t input[], size_t input_length) const { - if(input_length <= 2) + if(!valid_blocksize(input_length)) return input_length; CT::poison(input, input_length); @@ -104,7 +104,7 @@ void ANSI_X923_Padding::add_padding(secure_vector<uint8_t>& buffer, */ size_t ANSI_X923_Padding::unpad(const uint8_t input[], size_t input_length) const { - if(input_length <= 2) + if(!valid_blocksize(input_length)) return input_length; CT::poison(input, input_length); @@ -146,7 +146,7 @@ void OneAndZeros_Padding::add_padding(secure_vector<uint8_t>& buffer, */ size_t OneAndZeros_Padding::unpad(const uint8_t input[], size_t input_length) const { - if(input_length <= 2) + if(!valid_blocksize(input_length)) return input_length; CT::poison(input, input_length); @@ -170,7 +170,8 @@ size_t OneAndZeros_Padding::unpad(const uint8_t input[], size_t input_length) co bad_input |= ~seen_0x80; CT::unpoison(input, input_length); - return bad_input.select_and_unpoison(input_length, pad_pos); + + return CT::Mask<size_t>::expand(bad_input).select_and_unpoison(input_length, pad_pos); } /* @@ -193,7 +194,7 @@ void ESP_Padding::add_padding(secure_vector<uint8_t>& buffer, */ size_t ESP_Padding::unpad(const uint8_t input[], size_t input_length) const { - if(input_length <= 2) + if(!valid_blocksize(input_length)) return input_length; CT::poison(input, input_length); |