From 3923de59d71ca6f5affa63a32c6eb688efed6356 Mon Sep 17 00:00:00 2001 From: Jan Friesse Date: Fri, 6 Apr 2018 14:43:02 +0200 Subject: [PATCH] totemcrypto: Check length of the packet Packet has to be longer than crypto_config_header and hash_len, otherwise unallocated memory is passed into calculate_nss_hash function, what may result in crash. Signed-off-by: Jan Friesse Reviewed-by: Raphael Sanchez Prudencio Reviewed-by: Christine Caulfield --- exec/totemcrypto.c | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) diff --git a/exec/totemcrypto.c b/exec/totemcrypto.c index 64246c9..88c68d1 100644 --- a/exec/totemcrypto.c +++ b/exec/totemcrypto.c @@ -736,6 +736,11 @@ static int authenticate_nss_2_3 ( unsigned char tmp_hash[hash_len[instance->crypto_hash_type]]; int datalen = *buf_len - hash_len[instance->crypto_hash_type]; + if (*buf_len <= hash_len[instance->crypto_hash_type]) { + log_printf(instance->log_level_security, "Received message is too short... ignoring"); + return -1; + } + if (calculate_nss_hash(instance, buf, datalen, tmp_hash) < 0) { return -1; } @@ -845,6 +850,12 @@ int crypto_authenticate_and_decrypt (struct crypto_instance *instance, { struct crypto_config_header *cch = (struct crypto_config_header *)buf; + if (*buf_len <= sizeof(struct crypto_config_header)) { + log_printf(instance->log_level_security, "Received message is too short... ignoring"); + + return (-1); + } + if (cch->crypto_cipher_type != CRYPTO_CIPHER_TYPE_2_3) { log_printf(instance->log_level_security, "Incoming packet has different crypto type. Rejecting"); -- 1.7.1