[OTR-dev] [PATCH 8/9] Check for overflow and the return value of malloc() in otrl_message_symkey().

Andreas Schlick Wed, 22 Oct 2014 11:41:08 -0700

---
 src/message.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)


diff --git a/src/message.c b/src/message.c
index 68ee9e7..333ee0c 100644
--- a/src/message.c
+++ b/src/message.c
@@ -22,6 +22,7 @@
 /* system headers */
 #include <stdio.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <time.h>
 
 /* libgcrypt headers */
@@ -1923,17 +1924,22 @@ gcry_error_t otrl_message_symkey(OtrlUserState us,
        unsigned int use, const unsigned char *usedata, size_t usedatalen,
        unsigned char *symkey)
 {
-    if (!context || (usedatalen > 0 && !usedata)) {
-       return gcry_error(GPG_ERR_INV_VALUE);
+    if (!context || (usedatalen > 0 && !usedata) || usedatalen > SIZE_MAX-4) {
+        return gcry_error(GPG_ERR_INV_VALUE);
     }
 
     if (context->msgstate == OTRL_MSGSTATE_ENCRYPTED &&
            context->context_priv->their_keyid > 0) {
-       unsigned char *tlvdata = malloc(usedatalen+4);
+        unsigned char *tlvdata = NULL;
        char *encmsg = NULL;
        gcry_error_t err;
        OtrlTLV *tlv;
 
+        tlvdata = malloc(usedatalen+4);
+        if (!tlvdata) {
+            return gcry_error(GPG_ERR_ENOMEM);
+        }
+
        tlvdata[0] = (use >> 24) & 0xff;
        tlvdata[1] = (use >> 16) & 0xff;
        tlvdata[2] = (use >> 8) & 0xff;
-- 
2.1.2

_______________________________________________
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev

[OTR-dev] [PATCH 8/9] Check for overflow and the return value of malloc() in otrl_message_symkey().

Reply via email to