check range in _rijndael_ecb_ functions

jockebech · jockebech · commit 7b4a5c1dcf28 · 2019-08-02T10:39:08.000+02:00
There is no check that the 'skey' structure has been properly
initialized. For example, the skey-&gt;rijndael.Nr is assumed to contain a
positive number corresponding to the number of AES rounds to perform. In
_rijndael_ecb_encrypt the skey-&gt;rijndael.Nr is subtracted by two, which
can result in an integer underflow if the structure hasn't been
initialized correctly.

By clamping the value for skey-&gt;rijndael.Nr into the valid rounds for
AES we can return an error instead of ending up reading outside the
boundaries (of skey-&gt;rijndael.eK).

Signed-off-by: Joakim Bech &lt;joakim.bech@linaro.org&gt;
Reported-by: Martijn Bogaard &lt;bogaard@riscure.com&gt;
diff --git a/src/ciphers/aes/aes.c b/src/ciphers/aes/aes.c
@@ -295,6 +295,10 @@ int ECB_ENC(const unsigned char *pt, unsigned char *ct, const symmetric_key *ske
     LTC_ARGCHK(skey != NULL);
 
     Nr = skey->rijndael.Nr;
+
+    if (Nr < 2 || Nr > 16)
+        return CRYPT_INVALID_ROUNDS;
+
     rk = skey->rijndael.eK;
 
     /*
@@ -475,6 +479,10 @@ int ECB_DEC(const unsigned char *ct, unsigned char *pt, const symmetric_key *ske
     LTC_ARGCHK(skey != NULL);
 
     Nr = skey->rijndael.Nr;
+
+    if (Nr < 2 || Nr > 16)
+        return CRYPT_INVALID_ROUNDS;
+
     rk = skey->rijndael.dK;
 
     /*
