wolfSSL PKCS7 SignedData Stack Buffer Overflow Vulnerability

A stack buffer overflow vulnerability has been identified in wolfSSL's PKCS7 SignedData encoding process. The issue arises in the function wc_PKCS7_BuildSignedAttributes(), where an incorrect capacity value is passed to EncodeAttributes(). Instead of using the remaining space in the fixed-size signedAttribs array, the code incorrectly uses the count of signed attributes already added. This flaw allows for stack memory corruption when an application sets the signed attributes size to exceed the default maximum, leading EncodeAttributes() to write beyond the array bounds. In builds with WOLFSSL_SMALL_STACK, this stack corruption manifests as heap corruption. Exploitation requires an application that permits untrusted input to manipulate the signed attributes array size during the encoding process or related signing functions.

Impact

Exploitation of this vulnerability causes a stack buffer overflow, leading to stack memory corruption. In WOLFSSL_SMALL_STACK builds, this corruption extends to the heap, creating potential for further exploitation.

Remediation

Users can update to the latest version of wolfSSL, where this vulnerability has been addressed, to mitigate this issue.