lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 22 Nov 2013 15:54:01 +0100
From:	"Marksteiner, Stefan" <stefan.marksteiner@...nneum.at>
To:	netdev@...r.kernel.org
Subject: Possible bit/byte conversion mistake in xfrm_state.c

Hi folks,

I might have found a little bit/byte mistake in xfrm_state.c of 
iproute2-3.11.0 (and also lower versions).

In line 169 the algorithm length is set correctly ("alg->alg_key_len = 
len * 8;") in bits (as it is supposed by /usr/include/linux/xfrm.h, line 
101), but later in line 496 the same value is read and added to a length 
value in bytes ("len += alg.u.alg.alg_key_len;").

I'm not completetly sure, but I'm wondering if this might lead to errors 
for algorithms with big key sizes (>2048 bits)  for the key buffer 
("char buf[RTA_BUF_SIZE]" in line 274)  reserves only 2048 bytes of 
memory (RTA_BUF_SIZE=2048). So taking bits for bytes, the following 
memcopy operation may overwrite adjacent memory areas.

Can somebody verify if this is in fact an issue? Maybe I'm reading this 
whole stuff wrong.

Cheers,

Stefan


Download attachment "smime.p7s" of type "application/pkcs7-signature" (4282 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ