libmbedtls: mbedtls_mpi_shrink(): fix possible unwanted truncation

If mbedtls_mpi_shrink() is passed a value for nblimbs that is smaller than the minimum number of limbs required to store the big number, the current implementation will unexpectedly truncate the number to the requested size. It should use the minimal size instead in order not to corrupt the bigum value. This issue was introduced in [1] probably as a result of a bad copy and paste from mbedtls_mpi_grow(). Fixes: [1] commit 98bd5fe ("libmbedtls: add mbedtls_mpi_init_mempool()") Reported-by: Zhenke Ma <zhenke.ma@armchina.com> Signed-off-by: Jerome Forissier <jerome@forissier.org> Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
tomvaneyck · Apr 30, 2020 · 2df910b · 2df910b
1 parent 5cab033
commit 2df910b
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/lib/libmbedtls/mbedtls/library/bignum.c b/lib/libmbedtls/mbedtls/library/bignum.c
@@ -206,14 +206,14 @@ int mbedtls_mpi_shrink( mbedtls_mpi *X, size_t nblimbs )
 
     if( X->use_mempool )
     {
-        p = mempool_alloc( mbedtls_mpi_mempool, nblimbs * ciL );
+        p = mempool_alloc( mbedtls_mpi_mempool, i * ciL );
         if( p == NULL )
             return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
-        memset( p, 0, nblimbs * ciL );
+        memset( p, 0, i * ciL );
     }
     else
     {
-        p = (mbedtls_mpi_uint*)mbedtls_calloc( nblimbs, ciL );
+        p = (mbedtls_mpi_uint*)mbedtls_calloc( i, ciL );
         if( p == NULL )
             return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
     }