[corosync-pve.git] / patches / 0009-totemcrypto-Check-length-of-the-packet.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jan Friesse <jfriesse@redhat.com>
Date: Mon, 19 Mar 2018 16:59:41 +0100
Subject: [PATCH] totemcrypto: Check length of the packet
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Packet has to be longer than crypto_config_header and hash_len,
otherwise unallocated memory is passed into calculate_nss_hash function,
what may result in crash.

Signed-off-by: Jan Friesse <jfriesse@redhat.com>
Reviewed-by: Raphael Sanchez Prudencio <rasanche@redhat.com>
Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
(cherry picked from commit fc1d5418533c1faf21616b282c2559bed7d361c4)
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 exec/totemcrypto.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/exec/totemcrypto.c b/exec/totemcrypto.c
index 9f8f083c..d8d0fcae 100644
--- a/exec/totemcrypto.c
+++ b/exec/totemcrypto.c
@@ -864,6 +864,12 @@ int crypto_authenticate_and_decrypt (struct crypto_instance *instance,
 		return (-1);
 	}
 
+	if (*buf_len <= sizeof(struct crypto_config_header)) {
+		log_printf(instance->log_level_security, "Received message is too short...  ignoring");
+
+		return (-1);
+	}
+
 	if (cch->crypto_cipher_type != CRYPTO_CIPHER_TYPE_2_3) {
 		guessed_str = NULL;
Commit	Line	Data
8df5f405 FG	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	2	From: Jan Friesse <jfriesse@redhat.com>
	3	Date: Mon, 19 Mar 2018 16:59:41 +0100
	4	Subject: [PATCH] totemcrypto: Check length of the packet
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	Packet has to be longer than crypto_config_header and hash_len,
	10	otherwise unallocated memory is passed into calculate_nss_hash function,
	11	what may result in crash.
	12
	13	Signed-off-by: Jan Friesse <jfriesse@redhat.com>
	14	Reviewed-by: Raphael Sanchez Prudencio <rasanche@redhat.com>
	15	Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
	16	(cherry picked from commit fc1d5418533c1faf21616b282c2559bed7d361c4)
	17	Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
	18	---
e77cc04e FG	19	exec/totemcrypto.c \| 6 ++++++
e77cc04e FG	20	1 file changed, 6 insertions(+)
8df5f405 FG	21
8df5f405 FG	22	diff --git a/exec/totemcrypto.c b/exec/totemcrypto.c
e77cc04e	23	index 9f8f083c..d8d0fcae 100644
8df5f405 FG	24	--- a/exec/totemcrypto.c
8df5f405 FG	25	+++ b/exec/totemcrypto.c
e77cc04e FG	26	@@ -864,6 +864,12 @@ int crypto_authenticate_and_decrypt (struct crypto_instance *instance,
	27	return (-1);
	28	}
8df5f405 FG	29
	30	+ if (*buf_len <= sizeof(struct crypto_config_header)) {
	31	+ log_printf(instance->log_level_security, "Received message is too short... ignoring");
	32	+
	33	+ return (-1);
	34	+ }
	35	+
	36	if (cch->crypto_cipher_type != CRYPTO_CIPHER_TYPE_2_3) {
e77cc04e FG	37	guessed_str = NULL;
e77cc04e FG	38