RSA: Fix buffer overflow in PSS signature verification

Fix buffer overflow in RSA-PSS signature verification when the hash is too large for the key size. Found by Seth Terashima, Qualcomm. Added a non-regression test and a positive test with the smallest permitted key size for a SHA-512 hash.
2025-08-01 10:06:53 +03:00 · 2017-10-17 19:01:38 +02:00
parent 3f50f511de
commit 28a0c72795
7 changed files with 75 additions and 0 deletions
--- a/library/rsa.c
+++ b/library/rsa.c
@ -1362,6 +1362,8 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

    hlen = mbedtls_md_get_size( md_info );
+    if( siglen < hlen + 2 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
    slen = siglen - hlen - 1; /* Currently length of salt + padding */

    memset( zeros, 0, 8 );