From d927fd07c18c42f10c22ca03b51cb09220e322da Mon Sep 17 00:00:00 2001
From: James Prestwood <prestwoj@gmail.com>
Date: Wed, 16 Apr 2025 10:33:42 -0700
Subject: [PATCH] storage: add length check in __storage_decrypt

The length of EncryptedSecurity was assumed to be at least 16 bytes
and anything less would underflow the length to l_malloc.

Fixes: 01cd8587606b ("storage: implement network profile encryption")
---
 src/storage.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/storage.c b/src/storage.c
index 843581fd..2115a879 100644
--- a/src/storage.c
+++ b/src/storage.c
@@ -500,6 +500,13 @@ int __storage_decrypt(struct l_settings *settings, const char *ssid,
 		return 0;
 	}
 
+	/*
+	 * It should likely be far larger than this, but that will get caught
+	 * later when reloading the decrypted data.
+	 */
+	if (elen < 16)
+		return -EBADMSG;
+
 	/*
 	 * AES-SIV automatically verifies the IV (16 bytes) and returns only
 	 * the decrypted data portion. We add one here for the NULL terminator