base/SOURCES/bz1560467-1-totemcrypto-Che...

From 3923de59d71ca6f5affa63a32c6eb688efed6356 Mon Sep 17 00:00:00 2001
From: Jan Friesse <jfriesse@redhat.com>
Date: Fri, 6 Apr 2018 14:43:02 +0200
Subject: [PATCH] totemcrypto: Check length of the packet

Packet has to be longer than crypto_config_header and hash_len,
otherwise unallocated memory is passed into calculate_nss_hash function,
what may result in crash.

Signed-off-by: Jan Friesse <jfriesse@redhat.com>
Reviewed-by: Raphael Sanchez Prudencio <rasanche@redhat.com>
Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
---
 exec/totemcrypto.c |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/exec/totemcrypto.c b/exec/totemcrypto.c
index 64246c9..88c68d1 100644
--- a/exec/totemcrypto.c
+++ b/exec/totemcrypto.c
@@ -736,6 +736,11 @@ static int authenticate_nss_2_3 (
 		unsigned char	tmp_hash[hash_len[instance->crypto_hash_type]];
 		int             datalen = *buf_len - hash_len[instance->crypto_hash_type];
 
+		if (*buf_len <= hash_len[instance->crypto_hash_type]) {
+			log_printf(instance->log_level_security, "Received message is too short...  ignoring");
+			return -1;
+		}
+
 		if (calculate_nss_hash(instance, buf, datalen, tmp_hash) < 0) {
 			return -1;
 		}
@@ -845,6 +850,12 @@ int crypto_authenticate_and_decrypt (struct crypto_instance *instance,
 {
 	struct crypto_config_header *cch = (struct crypto_config_header *)buf;
 
+	if (*buf_len <= sizeof(struct crypto_config_header)) {
+		log_printf(instance->log_level_security, "Received message is too short...  ignoring");
+
+		return (-1);
+	}
+
 	if (cch->crypto_cipher_type != CRYPTO_CIPHER_TYPE_2_3) {
 		log_printf(instance->log_level_security,
 			   "Incoming packet has different crypto type. Rejecting");
-- 
1.7.1
corosync package update Signed-off-by: basebuilder_pel7ppc64bebuilder0 <basebuilder@powerel.org> 7 years ago			`From 3923de59d71ca6f5affa63a32c6eb688efed6356 Mon Sep 17 00:00:00 2001`
			`From: Jan Friesse <jfriesse@redhat.com>`
			`Date: Fri, 6 Apr 2018 14:43:02 +0200`
			`Subject: [PATCH] totemcrypto: Check length of the packet`

			`Packet has to be longer than crypto_config_header and hash_len,`
			`otherwise unallocated memory is passed into calculate_nss_hash function,`
			`what may result in crash.`

			`Signed-off-by: Jan Friesse <jfriesse@redhat.com>`
			`Reviewed-by: Raphael Sanchez Prudencio <rasanche@redhat.com>`
			`Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>`
			`---`
			`exec/totemcrypto.c \| 11 +++++++++++`
			`1 files changed, 11 insertions(+), 0 deletions(-)`

			`diff --git a/exec/totemcrypto.c b/exec/totemcrypto.c`
			`index 64246c9..88c68d1 100644`
			`--- a/exec/totemcrypto.c`
			`+++ b/exec/totemcrypto.c`
			`@@ -736,6 +736,11 @@ static int authenticate_nss_2_3 (`
			`unsigned char tmp_hash[hash_len[instance->crypto_hash_type]];`
			`int datalen = *buf_len - hash_len[instance->crypto_hash_type];`

			`+ if (*buf_len <= hash_len[instance->crypto_hash_type]) {`
			`+ log_printf(instance->log_level_security, "Received message is too short... ignoring");`
			`+ return -1;`
			`+ }`
			`+`
			`if (calculate_nss_hash(instance, buf, datalen, tmp_hash) < 0) {`
			`return -1;`
			`}`
			`@@ -845,6 +850,12 @@ int crypto_authenticate_and_decrypt (struct crypto_instance *instance,`
			`{`
			`struct crypto_config_header cch = (struct crypto_config_header )buf;`

			`+ if (*buf_len <= sizeof(struct crypto_config_header)) {`
			`+ log_printf(instance->log_level_security, "Received message is too short... ignoring");`
			`+`
			`+ return (-1);`
			`+ }`
			`+`
			`if (cch->crypto_cipher_type != CRYPTO_CIPHER_TYPE_2_3) {`
			`log_printf(instance->log_level_security,`
			`"Incoming packet has different crypto type. Rejecting");`
			`--`
			`1.7.1`