The handling of additional input data / personalization string data may be subject to a NULL pointer deference for the CTR DRBG. The caller-provided data may be NULL which must be caught by the DRBG.
Reported-by: kbuild test robot <[email protected]> Signed-off-by: Stephan Mueller <[email protected]> --- crypto/drbg.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/crypto/drbg.c b/crypto/drbg.c index faaa2ce..8e7c302 100644 --- a/crypto/drbg.c +++ b/crypto/drbg.c @@ -513,17 +513,20 @@ static int drbg_ctr_df(struct drbg_state *drbg, drbg_string_fill(&S2, L_N, sizeof(L_N)); drbg_string_fill(&S4, pad, padlen); S1.next = &S2; - S2.next = addtl; - /* - * splice in addtl between S2 and S4 -- we place S4 at the end of the - * input data chain - */ - tempstr = addtl; - for (; NULL != tempstr; tempstr = tempstr->next) - if (NULL == tempstr->next) - break; - tempstr->next = &S4; + if (NULL == addtl) { + S2.next = &S4; + } else { + /* + * splice in addtl between S2 and S4 -- we place S4 at the end + * of the input data chain + */ + S2.next = addtl; + tempstr = addtl; + while (tempstr->next) + tempstr = tempstr->next; + tempstr->next = &S4; + } /* 10.4.2 step 9 */ while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) { -- 1.9.3 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
