Am Mittwoch, 3. Mai 2017, 14:47:24 CEST schrieb Harsh Jain:
Hi Harsh,
> Hi Stephen,
>
> In drbg driver local variable of function are added as list nodes. one
> instance is given below.
>
>
> static inline int __init drbg_healthcheck_sanity(void)
>
>
>
> ---
> ---
>
> max_addtllen = drbg_max_addtl(drbg);
> max_request_bytes = drbg_max_request_bytes(drbg);
> drbg_string_fill(&addtl, buf, max_addtllen + 1);
> /* overflow addtllen with additonal info string */
> len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
>
> ===> Added "addtllist" to the tail. which local variable.
>
>
> BUG_ON(0 < len);
> /* overflow max_bits */
> len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
> BUG_ON(0 < len);
>
> /* overflow max addtllen with personalization string */
> ret = drbg_seed(drbg, &addtl, false);
>
> ====> Added "seedlist" to the tail of same list. Previous
> node(addtllist) already invalid(Out of scope when function returns)
>
>
> BUG_ON(0 == ret);
> /* all tests passed */
> rc = 0;
>
>
>
> Is't a BUG? or I missed something.
:-) You are right that in normal processing this is a bug. But this is a
special function which shall perform a sanity checks for the maximum length
enforcement. Thus, addtllist or seedlist should never be filled.
To be precise: The called code is expected to return an error before the
variables are used due to the length checks. If these errors do not appear,
something is wrong with the DRBG which causes the BUG_ON.
The following error conditions are triggered:
/* 9.3.1 step 2 */
len = -EINVAL;
if (buflen > (drbg_max_request_bytes(drbg))) {
pr_devel("DRBG: requested random numbers too large %u\n",
buflen);
goto err;
}
/* 9.3.1 step 4 */
if (addtl && addtl->len > (drbg_max_addtl(drbg))) {
pr_devel("DRBG: additional information string too long %zu\n",
addtl->len);
goto err;
}
Ciao
Stephan
