From 9faab6d48145d3a0d7b9a225ed35bdcaa32eca2c Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 18 Mar 2014 18:29:43 +0100
Subject: CRYPTO: Fix access to uninitialized data

The size of output buffer(obufsize) was longer than initialised data.
In calculation, uint32_t was used for length of the cryptotext,
but uint16_t was written into buffer. The end of buffer was not initialised
and it caused valgrind warning.

 Use of uninitialised value of size 8
    at 0x37AE40F363: pl_base64_encode_buffer (nssb64e.c:180)
    by 0x37AE40F6ED: NSSBase64_EncodeItem_Util (nssb64e.c:482)
    by 0x37AE40F87A: BTOA_DataToAscii_Util (nssb64e.c:721)
    by 0x40208A: sss_base64_encode (nss_base64.c:47)
    by 0x403305: sss_password_encrypt (nss_obfuscate.c:358)

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/util/crypto/libcrypto/crypto_obfuscate.c | 8 ++++++--
 src/util/crypto/nss/nss_obfuscate.c          | 8 ++++++--
 2 files changed, 12 insertions(+), 4 deletions(-)

(limited to 'src/util/crypto')

diff --git a/src/util/crypto/libcrypto/crypto_obfuscate.c b/src/util/crypto/libcrypto/crypto_obfuscate.c
index 50ea469c8..85de333ec 100644
--- a/src/util/crypto/libcrypto/crypto_obfuscate.c
+++ b/src/util/crypto/libcrypto/crypto_obfuscate.c
@@ -141,17 +141,21 @@ int sss_password_encrypt(TALLOC_CTX *mem_ctx, const char *password, int plen,
     }
 
     result_len = ctlen + digestlen;
+    if (result_len < 0 || result_len > UINT16_MAX) {
+        ret = ERANGE;
+        goto done;
+    }
 
     /* Pack the obfuscation buffer */
     /* The buffer consists of:
      * uint16_t      the type of the cipher
-     * uint32_t      length of the cryptotext in bytes (clen)
+     * uint16_t      length of the cryptotext in bytes (clen)
      * uint8_t[klen] key
      * uint8_t[blen] IV
      * uint8_t[clen] cryptotext
      * 4 bytes of "sentinel" denoting end of the buffer
      */
-    obufsize = sizeof(uint16_t) + sizeof(uint32_t) +
+    obufsize = sizeof(uint16_t) + sizeof(uint16_t) +
                mech_props->keylen + mech_props->bsize +
                result_len + OBF_BUFFER_SENTINEL_SIZE;
     obfbuf = talloc_array(tmp_ctx, unsigned char, obufsize);
diff --git a/src/util/crypto/nss/nss_obfuscate.c b/src/util/crypto/nss/nss_obfuscate.c
index fc052ec97..8c6bdc525 100644
--- a/src/util/crypto/nss/nss_obfuscate.c
+++ b/src/util/crypto/nss/nss_obfuscate.c
@@ -325,17 +325,21 @@ int sss_password_encrypt(TALLOC_CTX *mem_ctx, const char *password, int plen,
         goto done;
     }
     result_len = ctlen + digestlen;
+    if (result_len < 0 || result_len > UINT16_MAX) {
+        ret = ERANGE;
+        goto done;
+    }
 
     /* Pack the obfuscation buffer */
     /* The buffer consists of:
      * uint16_t      the type of the cipher
-     * uint32_t      length of the cryptotext in bytes (clen)
+     * uint16_t      length of the cryptotext in bytes (clen)
      * uint8_t[klen] key
      * uint8_t[blen] IV
      * uint8_t[clen] cryptotext
      * 4 bytes of "sentinel" denoting end of the buffer
      */
-    obufsize = sizeof(uint16_t) + sizeof(uint32_t) +
+    obufsize = sizeof(uint16_t) + sizeof(uint16_t) +
                mech_props->keylen + mech_props->bsize +
                result_len + OBF_BUFFER_SENTINEL_SIZE;
     obfbuf = talloc_array(tmp_ctx, unsigned char, obufsize);
-- 
cgit