From 1fb2f32ef5485962e0334dbbb397b3114a18dba6 Mon Sep 17 00:00:00 2001
From: Raef Coles <raef.coles@arm.com>
Date: Mon, 10 Oct 2022 11:23:07 +0100
Subject: [PATCH] Check LMS offsets are sane at runtime

Signed-off-by: Raef Coles <raef.coles@arm.com>
---
 library/lms.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/library/lms.c b/library/lms.c
index adba19582..296adceda 100644
--- a/library/lms.c
+++ b/library/lms.c
@@ -733,6 +733,12 @@ int mbedtls_lms_sign( mbedtls_lms_private_t *ctx,
      */
     ctx->q_next_usable_key += 1;
 
+    if ( MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype)
+         < SIG_OTS_SIG_OFFSET )
+    {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
     ret = mbedtls_lmots_sign( &ctx->ots_private_keys[q_leaf_identifier],
                               f_rng, p_rng, msg, msg_size,
                               sig + SIG_OTS_SIG_OFFSET,