summaryrefslogtreecommitdiff
path: root/src/libipsec
diff options
context:
space:
mode:
authorTobias Brunner <tobias@strongswan.org>2021-09-28 17:52:08 +0200
committerDaniil Baturin <daniil@baturin.org>2021-11-24 08:06:33 +0700
commit5de6fd137e48151e58954f6c0b8866d258fff14b (patch)
tree087e24ecd8594f8156f6ffd4ef26818ad072111d /src/libipsec
parente10cfecc81ec1fe0c2be4ad958467de77b3f7bb7 (diff)
downloadvyos-strongswan-5de6fd137e48151e58954f6c0b8866d258fff14b.tar.gz
vyos-strongswan-5de6fd137e48151e58954f6c0b8866d258fff14b.zip
Reject RSASSA-PSS params with negative salt length
The `salt_len` member in the struct is of type `ssize_t` because we use negative values for special automatic salt lengths when generating signatures. Not checking this could lead to an integer overflow. The value is assigned to the `len` field of a chunk (`size_t`), which is further used in calculations to check the padding structure and (if that is passed by a matching crafted signature value) eventually a memcpy() that will result in a segmentation fault. Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params") Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification") Fixes: CVE-2021-41990 Signed-off-by: Daniil Baturin <daniil@baturin.org>
Diffstat (limited to 'src/libipsec')
0 files changed, 0 insertions, 0 deletions