[openssl.org #2522] [PATCH] Don't compare beyond end of memory area

Mon, 23 May 2011 03:29:04 -0700 

When running CVS HEAD under valgrind, valgrind complains that openssl is
reading memory beyond the allocated boundary.  Specifically, it's the
code in fips_entropy_get():

static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout,
                int entropy, size_t min_len, size_t max_len)
    {
    unsigned char *tout, *p;
    size_t bl = dctx->entropy_blocklen, rv;
    if (dctx->flags & DRBG_FLAG_TEST || !bl)
        return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
    rv = dctx->get_entropy(dctx, &tout, entropy + bl,
                min_len + bl, max_len + bl);
    *pout = tout + bl;
    if (rv < (min_len + bl) || (rv % bl))
        return 0;
    /* Compare consecutive blocks for continuous PRNG test */
    for (p = tout; p < tout + rv; p += bl)
        {
        if (!memcmp(p, p + bl, bl))

In this for-loop, it seems to me that we compare, block by block, the
output of the PRNG to check that no block is identical to the previous
one.  However, given three blocks (bl == 20, rv == 60, which is the case
in my tests), we compare

offset 0 and offset 20, length 20
offset 20 and offset 40, length 20
offset 40 and offset 60, length 20

where the last one is invalid, since the 20 bytes at offset 60 are,
well, someone else's.  I've tried with the attached patch, and that
shuts up valgrind.  I might be wrong here, but it seems to me that
comparing block 1 to block 2 and block 2 to block 3 should be
sufficient.



make: Entering directory `/data/btrfs/os/make/saturn/ppc/root'
diff -urN openssl-SNAP-20110513.orig/fips/rand/fips_drbg_lib.c openssl-SNAP-20110513.new/fips/rand/fips_drbg_lib.c
--- openssl-SNAP-20110513.orig/fips/rand/fips_drbg_lib.c	2011-04-23 23:00:06.000000000 +0200
+++ openssl-SNAP-20110513.new/fips/rand/fips_drbg_lib.c	2011-05-23 10:36:10.676031482 +0200
@@ -145,7 +145,7 @@
 	if (rv < (min_len + bl) || (rv % bl))
 		return 0;
 	/* Compare consecutive blocks for continuous PRNG test */
-	for (p = tout; p < tout + rv; p += bl)
+	for (p = tout; p + bl < tout + rv; p += bl)
 		{
 		if (!memcmp(p, p + bl, bl))
 			{
make: Leaving directory `/data/btrfs/os/make/saturn/ppc/root'


-- 
Henrik Grindal Bakken    <[email protected]>
Software developer
Cisco Systems

Reply via email to