Attachment 303537 Details for Bug 440049 – Upstream patch (for posterity)

[patch] Upstream patch (for posterity)

silc.git-b36495161037e52ad993202da5d3df1837235d24.patch (text/plain), 1.31 KB, created by Josh Bressers on 2008-04-23 19:09:23 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Josh Bressers

Created: 2008-04-23 19:09:23 UTC

Size: 1.31 KB

patch

obsolete

>From: Pekka Riikonen <priikone@silcnet.org>
>Date: Thu, 20 Mar 2008 06:35:48 +0000 (+0200)
>Subject: Fixed possible buffer overflow in PKCS#1 message decoding.
>X-Git-Tag: silc.client.1.1.4
>X-Git-Url: http://git.silcnet.org/gitweb/?p=silc.git;a=commitdiff_plain;h=b36495161037e52ad993202da5d3df1837235d24
>
>Fixed possible buffer overflow in PKCS#1 message decoding.
>
>Vulnerability reported by Core Security Technologies.  Thanks.
>---
>
>diff --git a/lib/silccrypt/silcpkcs1.c b/lib/silccrypt/silcpkcs1.c
>index 283f1ab..0a75f80 100644
>--- a/lib/silccrypt/silcpkcs1.c
>+++ b/lib/silccrypt/silcpkcs1.c
>@@ -108,7 +108,7 @@ SilcBool silc_pkcs1_decode(SilcPkcs1BlockType bt,
> 			   SilcUInt32 dest_data_size,
> 			   SilcUInt32 *dest_len)
> {
>-  int i = 0;
>+  SilcUInt32 i = 0;
> 
>   SILC_LOG_DEBUG(("PKCS#1 decoding, bt %d", bt));
> 
>@@ -141,11 +141,19 @@ SilcBool silc_pkcs1_decode(SilcPkcs1BlockType bt,
>   }
> 
>   /* Sanity checks */
>+  if (i >= data_len) {
>+    SILC_LOG_DEBUG(("Malformed block"));
>+    return FALSE;
>+  }
>+  if (i < SILC_PKCS1_MIN_PADDING) {
>+    SILC_LOG_DEBUG(("Malformed block"));
>+    return FALSE;
>+  }
>   if (data[i++] != 0x00) {
>     SILC_LOG_DEBUG(("Malformed block"));
>     return FALSE;
>   }
>-  if (i - 1 < SILC_PKCS1_MIN_PADDING) {
>+  if (i >= data_len) {
>     SILC_LOG_DEBUG(("Malformed block"));
>     return FALSE;
>   }

Actions: View | Diff

Attachments on bug 440049: 303537