diff options
| author | Lukas Slebodnik <lslebodn@redhat.com> | 2014-03-18 18:29:43 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-04-28 22:14:23 +0200 |
| commit | 9faab6d48145d3a0d7b9a225ed35bdcaa32eca2c (patch) | |
| tree | 5fdd06c82b186db203790c7131c88aac0b0fec68 | |
| parent | da7d1fde3f9e37600831bdd5674291522fabd6f2 (diff) | |
| download | sssd-9faab6d48145d3a0d7b9a225ed35bdcaa32eca2c.tar.gz sssd-9faab6d48145d3a0d7b9a225ed35bdcaa32eca2c.tar.xz sssd-9faab6d48145d3a0d7b9a225ed35bdcaa32eca2c.zip | |
CRYPTO: Fix access to uninitialized data
The size of output buffer(obufsize) was longer than initialised data.
In calculation, uint32_t was used for length of the cryptotext,
but uint16_t was written into buffer. The end of buffer was not initialised
and it caused valgrind warning.
Use of uninitialised value of size 8
at 0x37AE40F363: pl_base64_encode_buffer (nssb64e.c:180)
by 0x37AE40F6ED: NSSBase64_EncodeItem_Util (nssb64e.c:482)
by 0x37AE40F87A: BTOA_DataToAscii_Util (nssb64e.c:721)
by 0x40208A: sss_base64_encode (nss_base64.c:47)
by 0x403305: sss_password_encrypt (nss_obfuscate.c:358)
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
| -rw-r--r-- | src/util/crypto/libcrypto/crypto_obfuscate.c | 8 | ||||
| -rw-r--r-- | src/util/crypto/nss/nss_obfuscate.c | 8 |
2 files changed, 12 insertions, 4 deletions
diff --git a/src/util/crypto/libcrypto/crypto_obfuscate.c b/src/util/crypto/libcrypto/crypto_obfuscate.c index 50ea469c8..85de333ec 100644 --- a/src/util/crypto/libcrypto/crypto_obfuscate.c +++ b/src/util/crypto/libcrypto/crypto_obfuscate.c @@ -141,17 +141,21 @@ int sss_password_encrypt(TALLOC_CTX *mem_ctx, const char *password, int plen, } result_len = ctlen + digestlen; + if (result_len < 0 || result_len > UINT16_MAX) { + ret = ERANGE; + goto done; + } /* Pack the obfuscation buffer */ /* The buffer consists of: * uint16_t the type of the cipher - * uint32_t length of the cryptotext in bytes (clen) + * uint16_t length of the cryptotext in bytes (clen) * uint8_t[klen] key * uint8_t[blen] IV * uint8_t[clen] cryptotext * 4 bytes of "sentinel" denoting end of the buffer */ - obufsize = sizeof(uint16_t) + sizeof(uint32_t) + + obufsize = sizeof(uint16_t) + sizeof(uint16_t) + mech_props->keylen + mech_props->bsize + result_len + OBF_BUFFER_SENTINEL_SIZE; obfbuf = talloc_array(tmp_ctx, unsigned char, obufsize); diff --git a/src/util/crypto/nss/nss_obfuscate.c b/src/util/crypto/nss/nss_obfuscate.c index fc052ec97..8c6bdc525 100644 --- a/src/util/crypto/nss/nss_obfuscate.c +++ b/src/util/crypto/nss/nss_obfuscate.c @@ -325,17 +325,21 @@ int sss_password_encrypt(TALLOC_CTX *mem_ctx, const char *password, int plen, goto done; } result_len = ctlen + digestlen; + if (result_len < 0 || result_len > UINT16_MAX) { + ret = ERANGE; + goto done; + } /* Pack the obfuscation buffer */ /* The buffer consists of: * uint16_t the type of the cipher - * uint32_t length of the cryptotext in bytes (clen) + * uint16_t length of the cryptotext in bytes (clen) * uint8_t[klen] key * uint8_t[blen] IV * uint8_t[clen] cryptotext * 4 bytes of "sentinel" denoting end of the buffer */ - obufsize = sizeof(uint16_t) + sizeof(uint32_t) + + obufsize = sizeof(uint16_t) + sizeof(uint16_t) + mech_props->keylen + mech_props->bsize + result_len + OBF_BUFFER_SENTINEL_SIZE; obfbuf = talloc_array(tmp_ctx, unsigned char, obufsize); |