Hi, The range checking of the salt length (salt_len) in pkcs5_pbkdf2() on line 90 of src/sbin/bioctl/pbkdf2.c is a bit off:
90: if (salt_len == 0 || salt_len > SIZE_MAX - 1) 91: return -1; 92: if ((asalt = malloc(salt_len + 4)) == NULL) 94: return -1; If (SIZE_MAX - 2) is passed to this function "asalt" will be malloc(1)'d and the subsequent memcpy on line 95 will segfault. This has no impact to bioctl but this implementation is linked to from the PBKDF2 Wikipedia article, and may be copied and used by others. Regards, Andrew
