Yep, thanks. Would have done this myself but don't actually use Open.
On 28 June 2012 16:51, Mike Belopuhov <[email protected]> wrote:
> On Thu, Jun 28, 2012 at 16:04 +0100, Andrew Nelless wrote:
>> Hi,
>>
>> The range checking of the salt length (salt_len) in pkcs5_pbkdf2() on
>> line 90 of src/sbin/bioctl/pbkdf2.c is a bit off:
>>
>> 90: if (salt_len == 0 || salt_len > SIZE_MAX - 1)
>> 91: return -1;
>> 92: if ((asalt = malloc(salt_len + 4)) == NULL)
>> 94: return -1;
>>
>> If (SIZE_MAX - 2) is passed to this function "asalt" will be
>> malloc(1)'d and the subsequent memcpy on line 95 will segfault.
>> This has no impact to bioctl but this implementation is linked to from
>> the PBKDF2 Wikipedia article, and may be copied and used by others.
>>
>> Regards,
>>
>> Andrew
>>
>
> thanks for reporting this. the diff below should fix the problem.
>
> ok?
>
> diff --git sbin/bioctl/pbkdf2.c sbin/bioctl/pbkdf2.c
> index eba68ad..67ff075 100644
> --- sbin/bioctl/pbkdf2.c
> +++ sbin/bioctl/pbkdf2.c
> @@ -87,7 +87,7 @@ pkcs5_pbkdf2(const char *pass, size_t pass_len, const char
*salt, size_t salt_le
>
> if (rounds < 1 || key_len == 0)
> return -1;
> - if (salt_len == 0 || salt_len > SIZE_MAX - 1)
> + if (salt_len == 0 || salt_len > SIZE_MAX - 4)
> return -1;
> if ((asalt = malloc(salt_len + 4)) == NULL)
> return -1;
