You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
48 lines
1.7 KiB
48 lines
1.7 KiB
From 3923de59d71ca6f5affa63a32c6eb688efed6356 Mon Sep 17 00:00:00 2001 |
|
From: Jan Friesse <jfriesse@redhat.com> |
|
Date: Fri, 6 Apr 2018 14:43:02 +0200 |
|
Subject: [PATCH] totemcrypto: Check length of the packet |
|
|
|
Packet has to be longer than crypto_config_header and hash_len, |
|
otherwise unallocated memory is passed into calculate_nss_hash function, |
|
what may result in crash. |
|
|
|
Signed-off-by: Jan Friesse <jfriesse@redhat.com> |
|
Reviewed-by: Raphael Sanchez Prudencio <rasanche@redhat.com> |
|
Reviewed-by: Christine Caulfield <ccaulfie@redhat.com> |
|
--- |
|
exec/totemcrypto.c | 11 +++++++++++ |
|
1 files changed, 11 insertions(+), 0 deletions(-) |
|
|
|
diff --git a/exec/totemcrypto.c b/exec/totemcrypto.c |
|
index 64246c9..88c68d1 100644 |
|
--- a/exec/totemcrypto.c |
|
+++ b/exec/totemcrypto.c |
|
@@ -736,6 +736,11 @@ static int authenticate_nss_2_3 ( |
|
unsigned char tmp_hash[hash_len[instance->crypto_hash_type]]; |
|
int datalen = *buf_len - hash_len[instance->crypto_hash_type]; |
|
|
|
+ if (*buf_len <= hash_len[instance->crypto_hash_type]) { |
|
+ log_printf(instance->log_level_security, "Received message is too short... ignoring"); |
|
+ return -1; |
|
+ } |
|
+ |
|
if (calculate_nss_hash(instance, buf, datalen, tmp_hash) < 0) { |
|
return -1; |
|
} |
|
@@ -845,6 +850,12 @@ int crypto_authenticate_and_decrypt (struct crypto_instance *instance, |
|
{ |
|
struct crypto_config_header *cch = (struct crypto_config_header *)buf; |
|
|
|
+ if (*buf_len <= sizeof(struct crypto_config_header)) { |
|
+ log_printf(instance->log_level_security, "Received message is too short... ignoring"); |
|
+ |
|
+ return (-1); |
|
+ } |
|
+ |
|
if (cch->crypto_cipher_type != CRYPTO_CIPHER_TYPE_2_3) { |
|
log_printf(instance->log_level_security, |
|
"Incoming packet has different crypto type. Rejecting"); |
|
-- |
|
1.7.1 |
|
|
|
|