Add safety check to chachapoly finish

Previous code checked that the buffer was big enough for the tag size for the given algorithm, however chachapoly finish expects a 16 byte buffer passed in, no matter what. If we start supporting smaller chachapoly tags in the future, this could potentially end up in buffer overflow, so add a safety check. Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2025-11-04 04:32:24 -05:00 · 2021-07-22 18:48:24 +01:00 · 2021-07-22 18:48:24 +01:00 · ed08cf884a
commit ed08cf884a
parent 2fe5db87d5
1 changed files with 9 additions and 0 deletions
--- a/library/psa_crypto_aead.c
+++ b/library/psa_crypto_aead.c
@ -633,9 +633,18 @@ psa_status_t mbedtls_psa_aead_finish(
 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
    if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
+    {
+        /* Belt and braces. Although the above tag_size check should have
+         * already done this, if we later start supporting smaller tag sizes
+         * for chachapoly, then passing a tag buffer smaller than 16 into here
+         * could cause a buffer overflow, so better safe than sorry. */
+        if( tag_size < 16 )
+            return( PSA_ERROR_BUFFER_TOO_SMALL );
+
        status = mbedtls_to_psa_error(
            mbedtls_chachapoly_finish( &operation->ctx.chachapoly,
                                       tag ) );
+    }
    else
 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
    {