[noup] zephyr: crypto: fix coverity issue when getting public/private key

Qingling-Wu · jukkar · commit cf270006050c · 2025-06-16T08:16:40.000+03:00
Fix INTEGER_OVERFLOW coverity issue.
crypto_ec_key_get_subject_public_key/crypto_ec_key_get_ecprivate_key:
tainted_data_return: Called function mbedtls_asn1_write_len,
and a possible return value is known to be less than zero.
overflow: The expression len is considered to have possibly overflowed.

Check return value of mbedtls_asn1_write_len and mbedtls_asn1_write_tag,
if less than zero, return NULL.

Signed-off-by: Qingling Wu &lt;qingling.wu@nxp.com&gt;
diff --git a/src/crypto/crypto_mbedtls_alt.c b/src/crypto/crypto_mbedtls_alt.c
@@ -2645,6 +2645,7 @@ struct wpabuf *crypto_ec_key_get_subject_public_key(struct crypto_ec_key *key)
         /* algorithm AlgorithmIdentifier */
         unsigned char *a = p;
         size_t alen;
+        int ret;
         mbedtls_asn1_get_tag(&p, end, &alen, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
         p += alen;
         alen = (size_t)(p - a);
@@ -2658,8 +2659,16 @@ struct wpabuf *crypto_ec_key_get_subject_public_key(struct crypto_ec_key *key)
         os_memmove(p - alen, a, alen);
         len += alen;
         p -= alen;
-        len += mbedtls_asn1_write_len(&p, buf, (size_t)len);
-        len += mbedtls_asn1_write_tag(&p, buf, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
+        if ((ret = mbedtls_asn1_write_len(&p, buf, (size_t)len)) < 0)
+        {
+            return NULL;
+        }
+        len += ret;
+        if ((ret = mbedtls_asn1_write_tag(&p, buf, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) < 0)
+        {
+            return NULL;
+        }
+        len += ret;
     }
 #endif
     return wpabuf_alloc_copy(p, (size_t)len);
@@ -2690,6 +2699,7 @@ struct wpabuf *crypto_ec_key_get_ecprivate_key(struct crypto_ec_key *key, bool i
         unsigned char *p   = priv + sizeof(priv) - privlen;
         unsigned char *end = priv + sizeof(priv);
         size_t len;
+        int ret;
         /* ECPrivateKey SEQUENCE */
         mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
         /* version INTEGER */
@@ -2706,8 +2716,16 @@ struct wpabuf *crypto_ec_key_get_ecprivate_key(struct crypto_ec_key *key, bool i
         /* write new SEQUENCE header (we know that it fits in priv[]) */
         len = (size_t)(p - v);
         p   = v;
-        len += mbedtls_asn1_write_len(&p, priv, len);
-        len += mbedtls_asn1_write_tag(&p, priv, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
+        if ((ret = mbedtls_asn1_write_len(&p, priv, len)) < 0)
+        {
+            return NULL;
+        }
+        len += ret;
+        if ((ret = mbedtls_asn1_write_tag(&p, priv, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) < 0)
+        {
+            return NULL;
+        }
+        len += ret;
         wbuf = wpabuf_alloc_copy(p, len);
     }
 
