patches/0009-totemcrypto-Check-length-of-the-packet.patch

   1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
   2 From: Jan Friesse <jfriesse@redhat.com>
   3 Date: Mon, 19 Mar 2018 16:59:41 +0100
   4 Subject: [PATCH] totemcrypto: Check length of the packet
   5 MIME-Version: 1.0
   6 Content-Type: text/plain; charset=UTF-8
   7 Content-Transfer-Encoding: 8bit
   8
   9 Packet has to be longer than crypto_config_header and hash_len,
  10 otherwise unallocated memory is passed into calculate_nss_hash function,
  11 what may result in crash.
  12
  13 Signed-off-by: Jan Friesse <jfriesse@redhat.com>
  14 Reviewed-by: Raphael Sanchez Prudencio <rasanche@redhat.com>
  15 Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
  16 (cherry picked from commit fc1d5418533c1faf21616b282c2559bed7d361c4)
  17 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
  18 ---
  19  exec/totemcrypto.c | 6 ++++++
  20  1 file changed, 6 insertions(+)
  21
  22 diff --git a/exec/totemcrypto.c b/exec/totemcrypto.c
  23 index 9f8f083c..d8d0fcae 100644
  24 --- a/exec/totemcrypto.c
  25 +++ b/exec/totemcrypto.c
  26 @@ -864,6 +864,12 @@ int crypto_authenticate_and_decrypt (struct crypto_instance *instance,
  27                 return (-1);
  28         }
  29
  30 +       if (*buf_len <= sizeof(struct crypto_config_header)) {
  31 +               log_printf(instance->log_level_security, "Received message is too short...  ignoring");
  32 +
  33 +               return (-1);
  34 +       }
  35 +
  36         if (cch->crypto_cipher_type != CRYPTO_CIPHER_TYPE_2_3) {
  37                 guessed_str = NULL;
  38