* out of bound access in libsec
@ 2017-01-17 20:59 Giacomo Tesio
2017-01-17 21:27 ` [9front] " cinap_lenrek
0 siblings, 1 reply; 6+ messages in thread
From: Giacomo Tesio @ 2017-01-17 20:59 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs, 9front
[-- Attachment #1: Type: text/plain, Size: 539 bytes --]
Hi, running coverity scan on libsec it reported two defects that do not
seem false positives:
1. an out of bound access to aesXCBCmac (see
https://github.com/JehanneOS/jehanne/issues/3 )
2. an out of bound access in msgRecv, tlshand.c:1809 (see
https://github.com/JehanneOS/jehanne/issues/4 )
I verified that the code is more or less the same on 9front.
I "fixed" the first with an assert, but I'm not sure wherther passing
sizeof(m->u.finished.verify) to memset in the second is the correct
solution.
Am I missing something?
Giacomo
[-- Attachment #2: Type: text/html, Size: 940 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [9front] out of bound access in libsec
2017-01-17 20:59 out of bound access in libsec Giacomo Tesio
@ 2017-01-17 21:27 ` cinap_lenrek
2017-01-17 21:36 ` cinap_lenrek
0 siblings, 1 reply; 6+ messages in thread
From: cinap_lenrek @ 2017-01-17 21:27 UTC (permalink / raw)
To: 9front
on 2), how is there an out of bounds access? m->u.finished.n gets
initialized to c->finished.n, which is eigther 0 before setVersion()
as emalloc() zeros the TlsConnection struct or SSL3FinishedLen/TLSFinishedLen
after when we got the client/server hello. not 32767.
--
cinap
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [9front] out of bound access in libsec
2017-01-17 21:27 ` [9front] " cinap_lenrek
@ 2017-01-17 21:36 ` cinap_lenrek
2017-01-17 21:51 ` cinap_lenrek
2017-01-17 22:50 ` Giacomo Tesio
0 siblings, 2 replies; 6+ messages in thread
From: cinap_lenrek @ 2017-01-17 21:36 UTC (permalink / raw)
To: 9front
on 1), the comment says right here that it does not deal with keys
bigger than 128 bits. which is implied by s->keybytes == 16. so rounds
is 10 here as of aes_setupEnc(). given 4*(10+1) == 48, so the buffer
size holds.
--
cinap
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [9front] out of bound access in libsec
2017-01-17 21:36 ` cinap_lenrek
@ 2017-01-17 21:51 ` cinap_lenrek
2017-01-17 22:50 ` Giacomo Tesio
1 sibling, 0 replies; 6+ messages in thread
From: cinap_lenrek @ 2017-01-17 21:51 UTC (permalink / raw)
To: 9front
sorry, i ment 4*(10+1) < 48 :-)
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [9front] out of bound access in libsec
2017-01-17 21:36 ` cinap_lenrek
2017-01-17 21:51 ` cinap_lenrek
@ 2017-01-17 22:50 ` Giacomo Tesio
2017-01-17 22:55 ` cinap_lenrek
1 sibling, 1 reply; 6+ messages in thread
From: Giacomo Tesio @ 2017-01-17 22:50 UTC (permalink / raw)
To: 9front
[-- Attachment #1: Type: text/plain, Size: 438 bytes --]
For 1) aesXCBCmac is an exported function thus it could get a broken
AESstate from the caller.
For 2) you are right... thanks!
Giacomo
2017-01-17 22:36 GMT+01:00 <cinap_lenrek@felloff.net>:
> on 1), the comment says right here that it does not deal with keys
> bigger than 128 bits. which is implied by s->keybytes == 16. so rounds
> is 10 here as of aes_setupEnc(). given 4*(10+1) == 48, so the buffer
> size holds.
>
> --
> cinap
>
[-- Attachment #2: Type: text/html, Size: 799 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [9front] out of bound access in libsec
2017-01-17 22:50 ` Giacomo Tesio
@ 2017-01-17 22:55 ` cinap_lenrek
0 siblings, 0 replies; 6+ messages in thread
From: cinap_lenrek @ 2017-01-17 22:55 UTC (permalink / raw)
To: 9front
> For 1) aesXCBCmac is an exported function thus it could get a broken
> AESstate from the caller.
thats not how aes works. the number of rounds depends on the key size.
it would be really strange if someone broke that assumption.
--
cinap
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-01-17 22:55 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-01-17 20:59 out of bound access in libsec Giacomo Tesio
2017-01-17 21:27 ` [9front] " cinap_lenrek
2017-01-17 21:36 ` cinap_lenrek
2017-01-17 21:51 ` cinap_lenrek
2017-01-17 22:50 ` Giacomo Tesio
2017-01-17 22:55 ` cinap_lenrek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).