taking sizeof(ptr) is incorrect to determine size of passed in hash
tls_key_x_server_params_hash() callers src/tls/tlsv1_client_read.c
and src/tls/tlsv1_server_write.c both pass in a large enough hash
(hash[64] or hash[100]) that this does not appear to have an impact,
though it is still wrong.
Signed-off-by: Glenn Strauss <gstrauss@xxxxxxxxxxxxx>
---
src/tls/tlsv1_client_read.c | 3 ++-
src/tls/tlsv1_common.c | 6 ++++--
src/tls/tlsv1_common.h | 3 ++-
src/tls/tlsv1_server_write.c | 2 +-
4 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/src/tls/tlsv1_client_read.c b/src/tls/tlsv1_client_read.c
index 3825a7380..9df56c257 100644
--- a/src/tls/tlsv1_client_read.c
+++ b/src/tls/tlsv1_client_read.c
@@ -771,7 +771,8 @@ static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
hlen = tls_key_x_server_params_hash(
conn->rl.tls_version, conn->client_random,
conn->server_random, server_params,
- server_params_end - server_params, hash);
+ server_params_end - server_params, hash,
+ sizeof(hash));
}
if (hlen < 0)
diff --git a/src/tls/tlsv1_common.c b/src/tls/tlsv1_common.c
index e178915a4..0dd8e2799 100644
--- a/src/tls/tlsv1_common.c
+++ b/src/tls/tlsv1_common.c
@@ -378,7 +378,7 @@ int tlsv12_key_x_server_params_hash(u16 tls_version, u8 hash_alg,
int tls_key_x_server_params_hash(u16 tls_version, const u8 *client_random,
const u8 *server_random,
const u8 *server_params,
- size_t server_params_len, u8 *hash)
+ size_t server_params_len, u8 *hash, size_t hsz)
{
u8 *hpos;
size_t hlen;
@@ -393,6 +393,8 @@ int tls_key_x_server_params_hash(u16 tls_version, const u8 *client_random,
crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
crypto_hash_update(ctx, server_params, server_params_len);
hlen = MD5_MAC_LEN;
+ if (hsz < hlen)
+ return -1;
if (crypto_hash_finish(ctx, hash, &hlen) < 0)
return -1;
hpos += hlen;
@@ -403,7 +405,7 @@ int tls_key_x_server_params_hash(u16 tls_version, const u8 *client_random,
crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
crypto_hash_update(ctx, server_params, server_params_len);
- hlen = hash + sizeof(hash) - hpos;
+ hlen = hsz - hlen;
if (crypto_hash_finish(ctx, hpos, &hlen) < 0)
return -1;
hpos += hlen;
diff --git a/src/tls/tlsv1_common.h b/src/tls/tlsv1_common.h
index e30b15a03..4cfdc2d55 100644
--- a/src/tls/tlsv1_common.h
+++ b/src/tls/tlsv1_common.h
@@ -267,7 +267,8 @@ int tlsv12_key_x_server_params_hash(u16 tls_version, u8 hash_Alg,
int tls_key_x_server_params_hash(u16 tls_version, const u8 *client_random,
const u8 *server_random,
const u8 *server_params,
- size_t server_params_len, u8 *hash);
+ size_t server_params_len,
+ u8 *hash, size_t hsz);
int tls_verify_signature(u16 tls_version, struct crypto_public_key *pk,
const u8 *data, size_t data_len,
const u8 *pos, size_t len, u8 *alert);
diff --git a/src/tls/tlsv1_server_write.c b/src/tls/tlsv1_server_write.c
index 8d36cf135..545abae2b 100644
--- a/src/tls/tlsv1_server_write.c
+++ b/src/tls/tlsv1_server_write.c
@@ -620,7 +620,7 @@ static int tls_write_server_key_exchange(struct tlsv1_server *conn,
hlen = tls_key_x_server_params_hash(
conn->rl.tls_version, conn->client_random,
conn->server_random, server_params,
- pos - server_params, hash);
+ pos - server_params, hash, sizeof(hash));
}
if (hlen < 0) {
--
2.38.1
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
