|
 |
6d54af |
From 3923de59d71ca6f5affa63a32c6eb688efed6356 Mon Sep 17 00:00:00 2001
|
|
|
6d54af |
From: Jan Friesse <jfriesse@redhat.com>
|
|
|
6d54af |
Date: Fri, 6 Apr 2018 14:43:02 +0200
|
|
|
6d54af |
Subject: [PATCH] totemcrypto: Check length of the packet
|
|
|
6d54af |
|
|
|
6d54af |
Packet has to be longer than crypto_config_header and hash_len,
|
|
|
6d54af |
otherwise unallocated memory is passed into calculate_nss_hash function,
|
|
|
6d54af |
what may result in crash.
|
|
|
6d54af |
|
|
|
6d54af |
Signed-off-by: Jan Friesse <jfriesse@redhat.com>
|
|
|
6d54af |
Reviewed-by: Raphael Sanchez Prudencio <rasanche@redhat.com>
|
|
|
6d54af |
Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
|
|
|
6d54af |
---
|
|
|
6d54af |
exec/totemcrypto.c | 11 +++++++++++
|
|
|
6d54af |
1 files changed, 11 insertions(+), 0 deletions(-)
|
|
|
6d54af |
|
|
|
6d54af |
diff --git a/exec/totemcrypto.c b/exec/totemcrypto.c
|
|
|
6d54af |
index 64246c9..88c68d1 100644
|
|
|
6d54af |
--- a/exec/totemcrypto.c
|
|
|
6d54af |
+++ b/exec/totemcrypto.c
|
|
|
6d54af |
@@ -736,6 +736,11 @@ static int authenticate_nss_2_3 (
|
|
|
6d54af |
unsigned char tmp_hash[hash_len[instance->crypto_hash_type]];
|
|
|
6d54af |
int datalen = *buf_len - hash_len[instance->crypto_hash_type];
|
|
|
6d54af |
|
|
|
6d54af |
+ if (*buf_len <= hash_len[instance->crypto_hash_type]) {
|
|
|
6d54af |
+ log_printf(instance->log_level_security, "Received message is too short... ignoring");
|
|
|
6d54af |
+ return -1;
|
|
|
6d54af |
+ }
|
|
|
6d54af |
+
|
|
|
6d54af |
if (calculate_nss_hash(instance, buf, datalen, tmp_hash) < 0) {
|
|
|
6d54af |
return -1;
|
|
|
6d54af |
}
|
|
|
6d54af |
@@ -845,6 +850,12 @@ int crypto_authenticate_and_decrypt (struct crypto_instance *instance,
|
|
|
6d54af |
{
|
|
|
6d54af |
struct crypto_config_header *cch = (struct crypto_config_header *)buf;
|
|
|
6d54af |
|
|
|
6d54af |
+ if (*buf_len <= sizeof(struct crypto_config_header)) {
|
|
|
6d54af |
+ log_printf(instance->log_level_security, "Received message is too short... ignoring");
|
|
|
6d54af |
+
|
|
|
6d54af |
+ return (-1);
|
|
|
6d54af |
+ }
|
|
|
6d54af |
+
|
|
|
6d54af |
if (cch->crypto_cipher_type != CRYPTO_CIPHER_TYPE_2_3) {
|
|
|
6d54af |
log_printf(instance->log_level_security,
|
|
|
6d54af |
"Incoming packet has different crypto type. Rejecting");
|
|
|
6d54af |
--
|
|
|
6d54af |
1.7.1
|
|
|
6d54af |
|