From acd13e2112724fee3e495cf866b4b19ebf64db91 Mon Sep 17 00:00:00 2001
From: Dmitry Baryshkov <dbaryshkov@gmail.com>
Date: Fri, 17 Apr 2020 04:09:25 +0300
Subject: [PATCH 67/87] gost: pmeth: check that result of data encryption would
 fit

Check that the result of PKEY_ENCRYPT operation won't overflow provided data
buffer.

Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
---
 src/lib/libcrypto/gost/gostr341001_pmeth.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/lib/libcrypto/gost/gostr341001_pmeth.c b/src/lib/libcrypto/gost/gostr341001_pmeth.c
index 2813f312c..5f99cf8e1 100644
--- a/src/lib/libcrypto/gost/gostr341001_pmeth.c
+++ b/src/lib/libcrypto/gost/gostr341001_pmeth.c
@@ -549,6 +549,7 @@ pkey_gost01_encrypt_4490(EVP_PKEY_CTX *pctx, unsigned char *out, size_t *out_len
 	int key_is_ephemeral;
 	EVP_PKEY *sec_key = EVP_PKEY_CTX_get0_peerkey(pctx);
 	int nid;
+	int tmp_len;
 
 	if (GOST_KEY_get_digest(pubk->pkey.gost) ==
 			NID_id_GostR3411_94_CryptoProParamSet)
@@ -635,7 +636,15 @@ pkey_gost01_encrypt_4490(EVP_PKEY_CTX *pctx, unsigned char *out, size_t *out_len
 			goto err;
 		}
 	}
-	if ((*out_len = i2d_GOST_KEY_TRANSPORT(gkt, out ? &out : NULL)) > 0)
+	tmp_len = i2d_GOST_KEY_TRANSPORT(gkt, NULL);
+	if (!out) {
+		*out_len = tmp_len;
+	} else {
+		if (*out_len < tmp_len)
+			goto err;
+		*out_len = i2d_GOST_KEY_TRANSPORT(gkt, &out);
+	}
+	if (out_len > 0)
 		ret = 1;
 	GOST_KEY_TRANSPORT_free(gkt);
 	return ret;
-- 
2.17.1