shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-09 09:54:25 +09:00
Code Issues Packages Projects Releases Wiki Activity

external: Fix a possible buffer overrun in bcrypt_pbkdf

Browse Source 
CID: #1250106

This fixes a 1 byte output overflow for large key length (not reachable
in libssh). Pulled from OpenBSD BCrypt PBKDF implementation.

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Andreas Schneider
2015-05-04 16:39:51 +02:00
parent 4b9916136d
commit cf05e653de
1 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/external/bcrypt_pbkdf.c vendored
View File

@@ -112,6 +112,7 @@ bcrypt_pbkdf(const char *pass, size_t passlen, const uint8_t *salt, size_t saltl
uint8_t *countsalt; uint8_t *countsalt;
size_t i, j, amt, stride; size_t i, j, amt, stride;
uint32_t count; uint32_t count;
size_t origkeylen = keylen;
SHA512CTX ctx; SHA512CTX ctx;
/* nothing crazy */ /* nothing crazy */
@@ -161,9 +162,14 @@ bcrypt_pbkdf(const char *pass, size_t passlen, const uint8_t *salt, size_t saltl
* pbkdf2 deviation: ouput the key material non-linearly. * pbkdf2 deviation: ouput the key material non-linearly.
*/ */
amt = MIN(amt, keylen); amt = MIN(amt, keylen);
for (i = 0; i < amt; i++) for (i = 0; i < amt; i++) {
key[i * stride + (count - 1)] = out[i]; size_t dest = i * stride + (count - 1);
keylen -= amt; if (dest >= origkeylen) {
break;
}
key[dest] = out[i];
}
keylen -= i;
} }
/* zap */ /* zap */