[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <528F7009.4080303@joanneum.at>
Date: Fri, 22 Nov 2013 15:54:01 +0100
From: "Marksteiner, Stefan" <stefan.marksteiner@...nneum.at>
To: netdev@...r.kernel.org
Subject: Possible bit/byte conversion mistake in xfrm_state.c
Hi folks,
I might have found a little bit/byte mistake in xfrm_state.c of
iproute2-3.11.0 (and also lower versions).
In line 169 the algorithm length is set correctly ("alg->alg_key_len =
len * 8;") in bits (as it is supposed by /usr/include/linux/xfrm.h, line
101), but later in line 496 the same value is read and added to a length
value in bytes ("len += alg.u.alg.alg_key_len;").
I'm not completetly sure, but I'm wondering if this might lead to errors
for algorithms with big key sizes (>2048 bits) for the key buffer
("char buf[RTA_BUF_SIZE]" in line 274) reserves only 2048 bytes of
memory (RTA_BUF_SIZE=2048). So taking bits for bytes, the following
memcopy operation may overwrite adjacent memory areas.
Can somebody verify if this is in fact an issue? Maybe I'm reading this
whole stuff wrong.
Cheers,
Stefan
Download attachment "smime.p7s" of type "application/pkcs7-signature" (4282 bytes)
Powered by blists - more mailing lists