SERVER-42318 Tighten bounds on AEAD Decrypt output length

2 files changed, 6 insertions, 3 deletions

diff --git a/src/mongo/shell/encrypted_dbclient_base.cpp b/src/mongo/shell/encrypted_dbclient_base.cpp
index c8858f8a9f3..bec5bb8ae5e 100644
--- a/src/mongo/shell/encrypted_dbclient_base.cpp
+++ b/src/mongo/shell/encrypted_dbclient_base.cpp
@@ -188,7 +188,8 @@ void EncryptedDBClientBase::decryptPayload(ConstDataRange data,
     UUID uuid = UUID::fromCDR(uuidCdr);
 
     auto key = getDataKey(uuid);
-    std::vector<uint8_t> out(data.length() - kAssociatedDataLength);
+    std::vector<uint8_t> out(uassertStatusOK(
+        crypto::aeadGetMaximumPlainTextLength(data.length() - kAssociatedDataLength)));
     size_t outLen = out.size();
 
     uassertStatusOK(
@@ -499,7 +500,8 @@ void EncryptedDBClientBase::decrypt(mozjs::MozJSImplScope* scope,
     UUID uuid = UUID::fromCDR(uuidCdr);
 
     auto key = getDataKey(uuid);
-    std::vector<uint8_t> out(binData.size() - kAssociatedDataLength);
+    std::vector<uint8_t> out(uassertStatusOK(
+        crypto::aeadGetMaximumPlainTextLength(binData.size() - kAssociatedDataLength)));
     size_t outLen = out.size();
 
     auto decryptStatus = crypto::aeadDecrypt(*key,
diff --git a/src/mongo/shell/kms_local.cpp b/src/mongo/shell/kms_local.cpp
index e7a090211b3..628ea9ed9c2 100644
--- a/src/mongo/shell/kms_local.cpp
+++ b/src/mongo/shell/kms_local.cpp
@@ -93,7 +93,8 @@ BSONObj LocalKMSService::encryptDataKey(ConstDataRange cdr, StringData keyId) {
 }
 
 SecureVector<uint8_t> LocalKMSService::decrypt(ConstDataRange cdr, BSONObj masterKey) {
-    SecureVector<uint8_t> plaintext(cdr.length());
+    SecureVector<uint8_t> plaintext(
+        uassertStatusOK(crypto::aeadGetMaximumPlainTextLength(cdr.length())));
 
     size_t outLen = plaintext->size();
     uassertStatusOK(crypto::aeadDecrypt(_key,