diff options
author | mallinath@chromium.org <mallinath@chromium.org@4ff67af0-8c30-449e-8e8b-ad334ec8d88c> | 2012-09-18 22:20:15 +0000 |
---|---|---|
committer | mallinath@chromium.org <mallinath@chromium.org@4ff67af0-8c30-449e-8e8b-ad334ec8d88c> | 2012-09-18 22:20:15 +0000 |
commit | eee5d33e297c8c4a4495f2890c02049c150af43a (patch) | |
tree | 5e9b8b3746e3a8588c63c2dbeb3a9458767a450e | |
parent | 7655e35a536641f0664c9323c7505139c898c779 (diff) | |
download | libsrtp-eee5d33e297c8c4a4495f2890c02049c150af43a.tar.gz |
Fixes the buffer overflow read while initializing
the aes_icm_context.
The issue is fixed by applying the below patch, which is not
committed to libsrtp trunk yet.
http://sourceforge.net/tracker/index.php?func=detail&aid=3566388&group_id=38894&atid=423799
BUG=150571
Review URL: https://chromiumcodereview.appspot.com/10952005
git-svn-id: http://src.chromium.org/svn/trunk/deps/third_party/libsrtp@157430 4ff67af0-8c30-449e-8e8b-ad334ec8d88c
-rw-r--r-- | srtp/crypto/cipher/aes_icm.c | 21 |
1 files changed, 13 insertions, 8 deletions
diff --git a/srtp/crypto/cipher/aes_icm.c b/srtp/crypto/cipher/aes_icm.c index 1f9bcbd..a0805d4 100644 --- a/srtp/crypto/cipher/aes_icm.c +++ b/srtp/crypto/cipher/aes_icm.c @@ -165,7 +165,7 @@ aes_icm_dealloc(cipher_t *c) { err_status_t aes_icm_context_init(aes_icm_ctx_t *c, const uint8_t *key, int key_len) { err_status_t status; - int base_key_len; + int base_key_len, copy_len; if (key_len > 16 && key_len < 30) /* Ismacryp */ base_key_len = 16; @@ -174,15 +174,20 @@ aes_icm_context_init(aes_icm_ctx_t *c, const uint8_t *key, int key_len) { else return err_status_bad_param; - /* set counter and initial values to 'offset' value */ - /* Note this copies past the end of the 'key' array by 2 bytes! */ - v128_copy_octet_string(&c->counter, key + base_key_len); - v128_copy_octet_string(&c->offset, key + base_key_len); + /* + * set counter and initial values to 'offset' value, being careful not to + * go past the end of the key buffer. + */ + v128_set_to_zero(&c->counter); + v128_set_to_zero(&c->offset); - /* force last two octets of the offset to zero (for srtp compatibility) */ - c->offset.v8[14] = c->offset.v8[15] = 0; - c->counter.v8[14] = c->counter.v8[15] = 0; + /* force last two octets of the offset to be left zero + * (for srtp compatibility) */ + copy_len = key_len - base_key_len; + memcpy(&c->counter, key + base_key_len, copy_len); + memcpy(&c->offset, key + base_key_len, copy_len); + debug_print(mod_aes_icm, "key: %s", octet_string_hex_string(key, base_key_len)); debug_print(mod_aes_icm, |