forked from osmocom/wireshark
dtls: fix buffer overflow in mac check. Bug 9512 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9512)
From Hauke Mehrtens svn path=/trunk/; revision=53842
This commit is contained in:
Michael Mann
parent
20e0d853ce
commit
21ca76a3ad
|
|
@ -1385,6 +1385,7 @@ ssl_hmac_final(SSL_HMAC* md, guchar* data, guint* datalen)
|
|||
|
||||
algo = gcry_md_get_algo (*(md));
|
||||
len = gcry_md_get_algo_dlen(algo);
|
||||
DISSECTOR_ASSERT(len <= *datalen);
|
||||
memcpy(data, gcry_md_read(*(md), algo), len);
|
||||
*datalen = len;
|
||||
}
|
||||
|
|
@ -1758,6 +1759,8 @@ static const SslDigestAlgo digests[]={
|
|||
{"Not Applicable", 0},
|
||||
};
|
||||
|
||||
#define DIGEST_MAX_SIZE 48
|
||||
|
||||
/* get index digest index */
|
||||
static const SslDigestAlgo *
|
||||
ssl_cipher_suite_dig(SslCipherSuite *cs) {
|
||||
|
|
@ -1964,7 +1967,7 @@ tls_hash(StringInfo* secret, StringInfo* seed, gint md, StringInfo* out)
|
|||
guint left;
|
||||
gint tocpy;
|
||||
guint8 *A;
|
||||
guint8 _A[48],tmp[48];
|
||||
guint8 _A[DIGEST_MAX_SIZE],tmp[DIGEST_MAX_SIZE];
|
||||
guint A_l,tmp_l;
|
||||
SSL_HMAC hm;
|
||||
ptr = out->data;
|
||||
|
|
@ -1979,6 +1982,7 @@ tls_hash(StringInfo* secret, StringInfo* seed, gint md, StringInfo* out)
|
|||
while(left){
|
||||
ssl_hmac_init(&hm,secret->data,secret->data_len,md);
|
||||
ssl_hmac_update(&hm,A,A_l);
|
||||
A_l = sizeof(_A);
|
||||
ssl_hmac_final(&hm,_A,&A_l);
|
||||
ssl_hmac_cleanup(&hm);
|
||||
A=_A;
|
||||
|
|
@ -1986,6 +1990,7 @@ tls_hash(StringInfo* secret, StringInfo* seed, gint md, StringInfo* out)
|
|||
ssl_hmac_init(&hm,secret->data,secret->data_len,md);
|
||||
ssl_hmac_update(&hm,A,A_l);
|
||||
ssl_hmac_update(&hm,seed->data,seed->data_len);
|
||||
tmp_l = sizeof(tmp);
|
||||
ssl_hmac_final(&hm,tmp,&tmp_l);
|
||||
ssl_hmac_cleanup(&hm);
|
||||
|
||||
|
|
@ -2743,7 +2748,7 @@ tls_check_mac(SslDecoder*decoder, gint ct, gint ver, guint8* data,
|
|||
SSL_HMAC hm;
|
||||
gint md;
|
||||
guint32 len;
|
||||
guint8 buf[48];
|
||||
guint8 buf[DIGEST_MAX_SIZE];
|
||||
gint16 temp;
|
||||
|
||||
md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
|
||||
|
|
@ -2777,6 +2782,7 @@ tls_check_mac(SslDecoder*decoder, gint ct, gint ver, guint8* data,
|
|||
ssl_hmac_update(&hm,data,datalen);
|
||||
|
||||
/* get digest and digest len*/
|
||||
len = sizeof(buf);
|
||||
ssl_hmac_final(&hm,buf,&len);
|
||||
ssl_hmac_cleanup(&hm);
|
||||
ssl_print_data("Mac", buf, len);
|
||||
|
|
@ -2857,7 +2863,7 @@ dtls_check_mac(SslDecoder*decoder, gint ct,int ver, guint8* data,
|
|||
SSL_HMAC hm;
|
||||
gint md;
|
||||
guint32 len;
|
||||
guint8 buf[20];
|
||||
guint8 buf[DIGEST_MAX_SIZE];
|
||||
gint16 temp;
|
||||
|
||||
md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
|
||||
|
|
@ -2888,6 +2894,7 @@ dtls_check_mac(SslDecoder*decoder, gint ct,int ver, guint8* data,
|
|||
ssl_hmac_update(&hm,buf,2);
|
||||
ssl_hmac_update(&hm,data,datalen);
|
||||
/* get digest and digest len */
|
||||
len = sizeof(buf);
|
||||
ssl_hmac_final(&hm,buf,&len);
|
||||
ssl_hmac_cleanup(&hm);
|
||||
ssl_print_data("Mac", buf, len);
|
||||
|
|
|
|||
Loading…
Reference in New Issue