* out of bound access in libsec @ 2017-01-17 20:59 Giacomo Tesio 2017-01-17 21:27 ` [9front] " cinap_lenrek 0 siblings, 1 reply; 6+ messages in thread From: Giacomo Tesio @ 2017-01-17 20:59 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs, 9front [-- Attachment #1: Type: text/plain, Size: 539 bytes --] Hi, running coverity scan on libsec it reported two defects that do not seem false positives: 1. an out of bound access to aesXCBCmac (see https://github.com/JehanneOS/jehanne/issues/3 ) 2. an out of bound access in msgRecv, tlshand.c:1809 (see https://github.com/JehanneOS/jehanne/issues/4 ) I verified that the code is more or less the same on 9front. I "fixed" the first with an assert, but I'm not sure wherther passing sizeof(m->u.finished.verify) to memset in the second is the correct solution. Am I missing something? Giacomo [-- Attachment #2: Type: text/html, Size: 940 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [9front] out of bound access in libsec 2017-01-17 20:59 out of bound access in libsec Giacomo Tesio @ 2017-01-17 21:27 ` cinap_lenrek 2017-01-17 21:36 ` cinap_lenrek 0 siblings, 1 reply; 6+ messages in thread From: cinap_lenrek @ 2017-01-17 21:27 UTC (permalink / raw) To: 9front on 2), how is there an out of bounds access? m->u.finished.n gets initialized to c->finished.n, which is eigther 0 before setVersion() as emalloc() zeros the TlsConnection struct or SSL3FinishedLen/TLSFinishedLen after when we got the client/server hello. not 32767. -- cinap ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [9front] out of bound access in libsec 2017-01-17 21:27 ` [9front] " cinap_lenrek @ 2017-01-17 21:36 ` cinap_lenrek 2017-01-17 21:51 ` cinap_lenrek 2017-01-17 22:50 ` Giacomo Tesio 0 siblings, 2 replies; 6+ messages in thread From: cinap_lenrek @ 2017-01-17 21:36 UTC (permalink / raw) To: 9front on 1), the comment says right here that it does not deal with keys bigger than 128 bits. which is implied by s->keybytes == 16. so rounds is 10 here as of aes_setupEnc(). given 4*(10+1) == 48, so the buffer size holds. -- cinap ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [9front] out of bound access in libsec 2017-01-17 21:36 ` cinap_lenrek @ 2017-01-17 21:51 ` cinap_lenrek 2017-01-17 22:50 ` Giacomo Tesio 1 sibling, 0 replies; 6+ messages in thread From: cinap_lenrek @ 2017-01-17 21:51 UTC (permalink / raw) To: 9front sorry, i ment 4*(10+1) < 48 :-) ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [9front] out of bound access in libsec 2017-01-17 21:36 ` cinap_lenrek 2017-01-17 21:51 ` cinap_lenrek @ 2017-01-17 22:50 ` Giacomo Tesio 2017-01-17 22:55 ` cinap_lenrek 1 sibling, 1 reply; 6+ messages in thread From: Giacomo Tesio @ 2017-01-17 22:50 UTC (permalink / raw) To: 9front [-- Attachment #1: Type: text/plain, Size: 438 bytes --] For 1) aesXCBCmac is an exported function thus it could get a broken AESstate from the caller. For 2) you are right... thanks! Giacomo 2017-01-17 22:36 GMT+01:00 <cinap_lenrek@felloff.net>: > on 1), the comment says right here that it does not deal with keys > bigger than 128 bits. which is implied by s->keybytes == 16. so rounds > is 10 here as of aes_setupEnc(). given 4*(10+1) == 48, so the buffer > size holds. > > -- > cinap > [-- Attachment #2: Type: text/html, Size: 799 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [9front] out of bound access in libsec 2017-01-17 22:50 ` Giacomo Tesio @ 2017-01-17 22:55 ` cinap_lenrek 0 siblings, 0 replies; 6+ messages in thread From: cinap_lenrek @ 2017-01-17 22:55 UTC (permalink / raw) To: 9front > For 1) aesXCBCmac is an exported function thus it could get a broken > AESstate from the caller. thats not how aes works. the number of rounds depends on the key size. it would be really strange if someone broke that assumption. -- cinap ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-01-17 22:55 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-01-17 20:59 out of bound access in libsec Giacomo Tesio 2017-01-17 21:27 ` [9front] " cinap_lenrek 2017-01-17 21:36 ` cinap_lenrek 2017-01-17 21:51 ` cinap_lenrek 2017-01-17 22:50 ` Giacomo Tesio 2017-01-17 22:55 ` cinap_lenrek
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).