Detect integer overflow in cmsg size computation

1 files changed, 3 insertions, 2 deletions

diff --git a/lib/ncrypto_alg.c b/lib/ncrypto_alg.c
index dcb6e02..3cfda6a 100644
--- a/lib/ncrypto_alg.c
+++ b/lib/ncrypto_alg.c
@@ -919,7 +919,7 @@ ncr_symm_cipher_change_iv (struct ncr_symm_cipher_session *sess, const void *iv,
   g_return_val_if_fail (iv != NULL || iv_size == 0, CKR_ARGUMENTS_BAD);
   /* Implicitly restricts iv_size so that it fits into iv_header.ivlen */
   cmsg_space = CMSG_SPACE (sizeof (iv_header) + iv_size);
-  g_return_val_if_fail (cmsg_space <= sizeof (cmsg_buf),
+  g_return_val_if_fail (cmsg_space > iv_size && cmsg_space <= sizeof (cmsg_buf),
 			CKR_MECHANISM_PARAM_INVALID);
 
   /* The IV might be left pending until the first actual data arrives, saving
@@ -967,7 +967,8 @@ symm_cipher_init (struct ncr_symm_cipher_session *sess, bool encrypt,
   g_return_val_if_fail (param != NULL || param_size == 0, CKR_ARGUMENTS_BAD);
   /* Implicitly restricts param_size so that it fits into iv.ivlen */
   cmsg_space = CMSG_SPACE (sizeof (iv) + param_size);
-  g_return_val_if_fail (cmsg_space <= sizeof (cmsg_buf),
+  g_return_val_if_fail (cmsg_space > param_size
+			&& cmsg_space <= sizeof (cmsg_buf),
 			CKR_MECHANISM_PARAM_INVALID);
 
   switch (sess->mech)