diff options
| author | tb <> | 2023-12-22 14:58:05 +0000 |
|---|---|---|
| committer | tb <> | 2023-12-22 14:58:05 +0000 |
| commit | eb6e5d9715bff50bbe9cba6d2633f9cf6cc33299 (patch) | |
| tree | 8be6ea3ad71c3bd0c19ff470bb09eac308ffe986 /src/lib | |
| parent | 44f78a5147d8bbfcf82b507d5fb7839fdf5bfb71 (diff) | |
| download | openbsd-eb6e5d9715bff50bbe9cba6d2633f9cf6cc33299.tar.gz openbsd-eb6e5d9715bff50bbe9cba6d2633f9cf6cc33299.tar.bz2 openbsd-eb6e5d9715bff50bbe9cba6d2633f9cf6cc33299.zip | |
Add length checks for partial_len
These remove a few more potential out-of-bounds accesses and ensure in
particular that the padding is between 1 and block_size (inclusive).
ok joshua jsing
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libcrypto/evp/evp_enc.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/src/lib/libcrypto/evp/evp_enc.c b/src/lib/libcrypto/evp/evp_enc.c index 6817bbc595..d18691a4db 100644 --- a/src/lib/libcrypto/evp/evp_enc.c +++ b/src/lib/libcrypto/evp/evp_enc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: evp_enc.c,v 1.76 2023/12/22 12:35:22 tb Exp $ */ | 1 | /* $OpenBSD: evp_enc.c,v 1.77 2023/12/22 14:58:05 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -325,12 +325,13 @@ EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len, | |||
| 325 | return evp_cipher(ctx, out, out_len, in, in_len); | 325 | return evp_cipher(ctx, out, out_len, in, in_len); |
| 326 | 326 | ||
| 327 | /* XXX - check that block_size > partial_len. */ | 327 | /* XXX - check that block_size > partial_len. */ |
| 328 | if (block_size > sizeof(ctx->buf)) { | 328 | if (partial_len < 0 || partial_len >= block_size || |
| 329 | block_size > sizeof(ctx->buf)) { | ||
| 329 | EVPerror(EVP_R_BAD_BLOCK_LENGTH); | 330 | EVPerror(EVP_R_BAD_BLOCK_LENGTH); |
| 330 | return 0; | 331 | return 0; |
| 331 | } | 332 | } |
| 332 | 333 | ||
| 333 | if (partial_len != 0) { | 334 | if (partial_len > 0) { |
| 334 | int partial_needed; | 335 | int partial_needed; |
| 335 | 336 | ||
| 336 | if ((partial_needed = block_size - partial_len) > in_len) { | 337 | if ((partial_needed = block_size - partial_len) > in_len) { |
| @@ -373,9 +374,8 @@ EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len, | |||
| 373 | total_len += len; | 374 | total_len += len; |
| 374 | } | 375 | } |
| 375 | 376 | ||
| 376 | if (partial_len != 0) | 377 | if ((ctx->partial_len = partial_len) > 0) |
| 377 | memcpy(ctx->buf, &in[in_len], partial_len); | 378 | memcpy(ctx->buf, &in[in_len], partial_len); |
| 378 | ctx->partial_len = partial_len; | ||
| 379 | 379 | ||
| 380 | *out_len = total_len; | 380 | *out_len = total_len; |
| 381 | 381 | ||
| @@ -401,7 +401,8 @@ EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) | |||
| 401 | return evp_cipher(ctx, out, out_len, NULL, 0); | 401 | return evp_cipher(ctx, out, out_len, NULL, 0); |
| 402 | 402 | ||
| 403 | /* XXX - check that block_size > partial_len. */ | 403 | /* XXX - check that block_size > partial_len. */ |
| 404 | if (block_size > sizeof(ctx->buf)) { | 404 | if (partial_len < 0 || partial_len >= block_size || |
| 405 | block_size > sizeof(ctx->buf)) { | ||
| 405 | EVPerror(EVP_R_BAD_BLOCK_LENGTH); | 406 | EVPerror(EVP_R_BAD_BLOCK_LENGTH); |
| 406 | return 0; | 407 | return 0; |
| 407 | } | 408 | } |