@@ -3209,6 +3209,8 @@ CK_RV C_Decrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedData,
32093209 if (!WP11_Session_IsOpInitialized (session , WP11_INIT_AES_GCM_DEC ))
32103210 return CKR_OPERATION_NOT_INITIALIZED ;
32113211
3212+ if (ulEncryptedDataLen < (CK_ULONG )WP11_AesGcm_GetTagBits (session ) / 8 )
3213+ return CKR_ENCRYPTED_DATA_LEN_RANGE ;
32123214 decDataLen = (word32 )ulEncryptedDataLen -
32133215 WP11_AesGcm_GetTagBits (session ) / 8 ;
32143216 if (pData == NULL ) {
@@ -3230,6 +3232,8 @@ CK_RV C_Decrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedData,
32303232 if (!WP11_Session_IsOpInitialized (session , WP11_INIT_AES_CCM_DEC ))
32313233 return CKR_OPERATION_NOT_INITIALIZED ;
32323234
3235+ if (ulEncryptedDataLen < (CK_ULONG )WP11_AesCcm_GetMacLen (session ))
3236+ return CKR_ENCRYPTED_DATA_LEN_RANGE ;
32333237 decDataLen = (word32 )ulEncryptedDataLen -
32343238 WP11_AesCcm_GetMacLen (session );
32353239 if (pData == NULL ) {
@@ -3297,6 +3301,8 @@ CK_RV C_Decrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedData,
32973301 /* AES Key Wrap unwrapping reduces the size by 8 bytes (the
32983302 * integrity check value). If using padding then its even smaller
32993303 * but we can't know the final size without decrypting first. */
3304+ if (ulEncryptedDataLen < KEYWRAP_BLOCK_SIZE )
3305+ return CKR_ENCRYPTED_DATA_LEN_RANGE ;
33003306 decDataLen = (word32 )(ulEncryptedDataLen - KEYWRAP_BLOCK_SIZE );
33013307 if (pData == NULL ) {
33023308 * pulDataLen = decDataLen ;
@@ -3623,6 +3629,9 @@ CK_RV C_DecryptFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastPart,
36233629 if (!WP11_Session_IsOpInitialized (session , WP11_INIT_AES_GCM_DEC ))
36243630 return CKR_OPERATION_NOT_INITIALIZED ;
36253631
3632+ if (WP11_AesGcm_EncDataLen (session ) <
3633+ WP11_AesGcm_GetTagBits (session ) / 8 )
3634+ return CKR_ENCRYPTED_DATA_LEN_RANGE ;
36263635 decPartLen = WP11_AesGcm_EncDataLen (session ) -
36273636 WP11_AesGcm_GetTagBits (session ) / 8 ;
36283637 if (pLastPart == NULL ) {
0 commit comments