From: Vitezslav Cizek <vcizek@suse.com>
Date: Tue, 6 Feb 2018 15:46:31 +0000 (+0100)
Subject: accelerated: check keysize in SSSE3 cipher setkey
X-Git-Tag: gnutls_3_6_2~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eefd582a22dddef452bb469bff10664bf282fdd7;p=thirdparty%2Fgnutls.git

accelerated: check keysize in SSSE3 cipher setkey

aes_ssse3_cipher_setkey() accepted any key size,
which could lead to invalid memory access.

Such as with the oss-fuzz corpora file
fuzz/gnutls_pkcs8_key_parser_fuzzer.in/da59d34eacdf50a0019a457fb7c4916be48c99a5

Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
---

diff --git a/lib/accelerated/x86/aes-cbc-x86-ssse3.c b/lib/accelerated/x86/aes-cbc-x86-ssse3.c
index 8b90a5990a..d0f3708781 100644
--- a/lib/accelerated/x86/aes-cbc-x86-ssse3.c
+++ b/lib/accelerated/x86/aes-cbc-x86-ssse3.c
@@ -65,6 +65,9 @@ aes_ssse3_cipher_setkey(void *_ctx, const void *userkey, size_t keysize)
 	struct aes_ctx *ctx = _ctx;
 	int ret;
 
+	if (keysize != 16 && keysize != 24 && keysize != 32)
+		return GNUTLS_E_INVALID_REQUEST;
+
 	if (ctx->enc)
 		ret =
 		    vpaes_set_encrypt_key(userkey, keysize * 8,