Skip to content

Commit f332b7a

Browse files
cconloncconlon
committed
JNI: add ByteBuffer bounds validation in SHA/MD5/RNG native functions (F-1522)
1 parent b9e0a91 commit f332b7a

3 files changed

Lines changed: 52 additions & 16 deletions

File tree

jni/jni_md5.c

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -139,6 +139,7 @@ Java_com_wolfssl_wolfcrypt_Md5_native_1update_1internal__Ljava_nio_ByteBuffer_2I
139139
int ret = 0;
140140
Md5* md5 = NULL;
141141
byte* data = NULL;
142+
jlong dataSz = 0;
142143

143144
md5 = (Md5*) getNativeStruct(env, this);
144145
if ((*env)->ExceptionOccurred(env)) {
@@ -147,8 +148,10 @@ Java_com_wolfssl_wolfcrypt_Md5_native_1update_1internal__Ljava_nio_ByteBuffer_2I
147148
}
148149

149150
data = getDirectBufferAddress(env, data_buffer);
151+
dataSz = (*env)->GetDirectBufferCapacity(env, data_buffer);
150152

151-
if (!md5 || !data) {
153+
if (!md5 || !data || position < 0 || len < 0 ||
154+
((jlong)position + (jlong)len) > dataSz) {
152155
throwWolfCryptExceptionFromError(env, BAD_FUNC_ARG);
153156
} else {
154157
ret = wc_Md5Update(md5, data + position, len);

jni/jni_rng.c

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -123,6 +123,7 @@ JNIEXPORT void JNICALL Java_com_wolfssl_wolfcrypt_Rng_rngGenerateBlock__Ljava_ni
123123
int ret = 0;
124124
RNG* rng = NULL;
125125
byte* buffer = NULL;
126+
jlong bufferSz = 0;
126127

127128
rng = (RNG*) getNativeStruct(env, this);
128129
if ((*env)->ExceptionOccurred(env)) {
@@ -131,8 +132,10 @@ JNIEXPORT void JNICALL Java_com_wolfssl_wolfcrypt_Rng_rngGenerateBlock__Ljava_ni
131132
}
132133

133134
buffer = getDirectBufferAddress(env, buffer_buffer);
135+
bufferSz = (*env)->GetDirectBufferCapacity(env, buffer_buffer);
134136

135-
if (rng == NULL || buffer == NULL) {
137+
if (rng == NULL || buffer == NULL || position < 0 || size < 0 ||
138+
((jlong)position + (jlong)size) > bufferSz) {
136139
ret = BAD_FUNC_ARG;
137140
}
138141

jni/jni_sha.c

Lines changed: 44 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -267,6 +267,7 @@ Java_com_wolfssl_wolfcrypt_Sha_native_1update_1internal__Ljava_nio_ByteBuffer_2I
267267
int ret = 0;
268268
Sha* sha = NULL;
269269
byte* data = NULL;
270+
jlong dataSz = 0;
270271

271272
sha = (Sha*) getNativeStruct(env, this);
272273
if ((*env)->ExceptionOccurred(env)) {
@@ -275,10 +276,15 @@ Java_com_wolfssl_wolfcrypt_Sha_native_1update_1internal__Ljava_nio_ByteBuffer_2I
275276
}
276277

277278
data = getDirectBufferAddress(env, data_buffer);
279+
dataSz = (*env)->GetDirectBufferCapacity(env, data_buffer);
278280

279-
ret = (!sha || !data)
280-
? BAD_FUNC_ARG
281-
: wc_ShaUpdate(sha, data + position, len);
281+
if (!sha || !data || position < 0 || len < 0 ||
282+
((jlong)position + (jlong)len) > dataSz) {
283+
ret = BAD_FUNC_ARG;
284+
}
285+
else {
286+
ret = wc_ShaUpdate(sha, data + position, len);
287+
}
282288

283289
if (ret != 0)
284290
throwWolfCryptExceptionFromError(env, ret);
@@ -469,6 +475,7 @@ JNIEXPORT void JNICALL Java_com_wolfssl_wolfcrypt_Sha224_native_1update_1interna
469475
int ret = 0;
470476
Sha224* sha = NULL;
471477
byte* data = NULL;
478+
jlong dataSz = 0;
472479

473480
sha = (Sha224*) getNativeStruct(env, this);
474481
if ((*env)->ExceptionOccurred(env)) {
@@ -477,8 +484,10 @@ JNIEXPORT void JNICALL Java_com_wolfssl_wolfcrypt_Sha224_native_1update_1interna
477484
}
478485

479486
data = getDirectBufferAddress(env, data_buffer);
487+
dataSz = (*env)->GetDirectBufferCapacity(env, data_buffer);
480488

481-
if (sha == NULL || data == NULL) {
489+
if (sha == NULL || data == NULL || position < 0 || len < 0 ||
490+
((jlong)position + (jlong)len) > dataSz) {
482491
ret = BAD_FUNC_ARG;
483492
}
484493
else {
@@ -693,6 +702,7 @@ Java_com_wolfssl_wolfcrypt_Sha256_native_1update_1internal__Ljava_nio_ByteBuffer
693702
int ret = 0;
694703
Sha256* sha = NULL;
695704
byte* data = NULL;
705+
jlong dataSz = 0;
696706

697707
sha = (Sha256*) getNativeStruct(env, this);
698708
if ((*env)->ExceptionOccurred(env)) {
@@ -701,10 +711,15 @@ Java_com_wolfssl_wolfcrypt_Sha256_native_1update_1internal__Ljava_nio_ByteBuffer
701711
}
702712

703713
data = getDirectBufferAddress(env, data_buffer);
714+
dataSz = (*env)->GetDirectBufferCapacity(env, data_buffer);
704715

705-
ret = (!sha || !data)
706-
? BAD_FUNC_ARG
707-
: wc_Sha256Update(sha, data + position, len);
716+
if (!sha || !data || position < 0 || len < 0 ||
717+
((jlong)position + (jlong)len) > dataSz) {
718+
ret = BAD_FUNC_ARG;
719+
}
720+
else {
721+
ret = wc_Sha256Update(sha, data + position, len);
722+
}
708723

709724
if (ret != 0)
710725
throwWolfCryptExceptionFromError(env, ret);
@@ -890,6 +905,7 @@ Java_com_wolfssl_wolfcrypt_Sha384_native_1update_1internal__Ljava_nio_ByteBuffer
890905
int ret = 0;
891906
Sha384* sha = NULL;
892907
byte* data = NULL;
908+
jlong dataSz = 0;
893909

894910
sha = (Sha384*) getNativeStruct(env, this);
895911
if ((*env)->ExceptionOccurred(env)) {
@@ -898,10 +914,15 @@ Java_com_wolfssl_wolfcrypt_Sha384_native_1update_1internal__Ljava_nio_ByteBuffer
898914
}
899915

900916
data = getDirectBufferAddress(env, data_buffer);
917+
dataSz = (*env)->GetDirectBufferCapacity(env, data_buffer);
901918

902-
ret = (!sha || !data)
903-
? BAD_FUNC_ARG
904-
: wc_Sha384Update(sha, data + position, len);
919+
if (!sha || !data || position < 0 || len < 0 ||
920+
((jlong)position + (jlong)len) > dataSz) {
921+
ret = BAD_FUNC_ARG;
922+
}
923+
else {
924+
ret = wc_Sha384Update(sha, data + position, len);
925+
}
905926

906927
if (ret != 0)
907928
throwWolfCryptExceptionFromError(env, ret);
@@ -1086,6 +1107,7 @@ Java_com_wolfssl_wolfcrypt_Sha512_native_1update_1internal__Ljava_nio_ByteBuffer
10861107
int ret = 0;
10871108
Sha512* sha = NULL;
10881109
byte* data = NULL;
1110+
jlong dataSz = 0;
10891111

10901112
sha = (Sha512*) getNativeStruct(env, this);
10911113
if ((*env)->ExceptionOccurred(env)) {
@@ -1094,10 +1116,15 @@ Java_com_wolfssl_wolfcrypt_Sha512_native_1update_1internal__Ljava_nio_ByteBuffer
10941116
}
10951117

10961118
data = getDirectBufferAddress(env, data_buffer);
1119+
dataSz = (*env)->GetDirectBufferCapacity(env, data_buffer);
10971120

1098-
ret = (!sha || !data)
1099-
? BAD_FUNC_ARG
1100-
: wc_Sha512Update(sha, data + position, len);
1121+
if (!sha || !data || position < 0 || len < 0 ||
1122+
((jlong)position + (jlong)len) > dataSz) {
1123+
ret = BAD_FUNC_ARG;
1124+
}
1125+
else {
1126+
ret = wc_Sha512Update(sha, data + position, len);
1127+
}
11011128

11021129
if (ret != 0)
11031130
throwWolfCryptExceptionFromError(env, ret);
@@ -1349,6 +1376,7 @@ JNIEXPORT void JNICALL Java_com_wolfssl_wolfcrypt_Sha3_native_1update_1internal_
13491376
int ret = 0;
13501377
byte* data = NULL;
13511378
wc_Sha3* sha = NULL;
1379+
jlong dataSz = 0;
13521380

13531381
sha = (wc_Sha3*) getNativeStruct(env, this);
13541382
if ((*env)->ExceptionOccurred(env)) {
@@ -1357,8 +1385,10 @@ JNIEXPORT void JNICALL Java_com_wolfssl_wolfcrypt_Sha3_native_1update_1internal_
13571385
}
13581386

13591387
data = getDirectBufferAddress(env, data_buffer);
1388+
dataSz = (*env)->GetDirectBufferCapacity(env, data_buffer);
13601389

1361-
if (sha == NULL || data == NULL) {
1390+
if (sha == NULL || data == NULL || offset < 0 || len < 0 ||
1391+
((jlong)offset + (jlong)len) > dataSz) {
13621392
ret = BAD_FUNC_ARG;
13631393
}
13641394

0 commit comments

Comments
 (0)