From 7ddc2cdfce7322f73b97375ba67b6de7c0cb55ae Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Fri, 18 Mar 2016 11:45:44 +0000
Subject: [PATCH] Fix null pointer dereference in the RSA module.

Introduced null pointer checks in mbedtls_rsa_rsaes_pkcs1_v15_encrypt
---
 ChangeLog     | 2 ++
 library/rsa.c | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 1581a3a1f..9a3b8a7ff 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,8 @@ Bugfix
      Follath. #309
    * Fix issue in Makefile that prevented building using armar. #386
    * Fix issue that caused a hang up when generating RSA keys of odd bitlength
+   * Fix bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt that made null pointer
+     dereference possible.
 
 Changes
    * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
diff --git a/library/rsa.c b/library/rsa.c
index d86fbc557..16114ac5e 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -586,7 +586,8 @@ int rsa_rsaes_pkcs1_v15_encrypt( rsa_context *ctx,
     if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V15 )
         return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
 
-    if( f_rng == NULL )
+    // We don't check p_rng because it won't be dereferenced here
+    if( f_rng == NULL || input == NULL || output == NULL )
         return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
 
     olen = ctx->len;