From 4728469f53bcc1dbdd7fc338572e822eeb263034 Mon Sep 17 00:00:00 2001
From: Jaeden Amero <jaeden.amero@arm.com>
Date: Wed, 6 Feb 2019 10:44:56 +0000
Subject: [PATCH] rsa: Re-enable use of zero-length null output

After merging the latest RSA implementation from Mbed TLS, we have a
regression in that we no longer properly handle zero-length null output
in PKCS1 v1.5 decryption. Prevent undefined behavior by avoiding a
memcpy() to zero-length null output buffers.
---
 library/rsa.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/library/rsa.c b/library/rsa.c
index b680188291..25544aa042 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -1624,9 +1624,15 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
                       plaintext_max_size,
                       plaintext_max_size - plaintext_size );
 
-    /* Finally copy the decrypted plaintext plus trailing zeros
-     * into the output buffer. */
-    memcpy( output, buf + ilen - plaintext_max_size, plaintext_max_size );
+    /* Finally copy the decrypted plaintext plus trailing zeros into the output
+     * buffer. If output_max_len is 0, then output may be an invalid pointer
+     * and the result of memcpy() would be undefined; prevent undefined
+     * behavior making sure to depend only on output_max_len (the size of the
+     * user-provided output buffer), which is independent from plaintext
+     * length, validity of padding, success of the decryption, and other
+     * secrets. */
+    if( output_max_len != 0 )
+        memcpy( output, buf + ilen - plaintext_max_size, plaintext_max_size );
 
     /* Report the amount of data we copied to the output buffer. In case
      * of errors (bad padding or output too large), the value of *olen