Am 17.02.2016 um 19:51 schrieb Salz, Rich:
*header = c;
+ header++;
Header isn't used after that assignment. How does this line change anything?
The call to load_iv() that occurs next, has as its first argument
header_pp which is a pointer to header:
char **header_pp = &header;
Inside load_iv() this pointer is named fromp and is immediately being
dereferenced:
from = *fromp;
so "from" is an alias to "header", it contains the same address as
"header". When being dereferenced, "from" will return the same char,
that "header" points to.
Now in load_iv() "from" is used to iterate over the IV hex chars:
for (i = 0; i < num; i++) {
if ((*from >= '0') && (*from <= '9'))
v = *from - '0';
else if ((*from >= 'A') && (*from <= 'F'))
v = *from - 'A' + 10;
else if ((*from >= 'a') && (*from <= 'f'))
v = *from - 'a' + 10;
else {
PEMerr(PEM_F_LOAD_IV, PEM_R_BAD_IV_CHARS);
return (0);
}
from++;
to[i / 2] |= v << (long)((!(i & 1)) * 4);
}
Since *from == *header == ',' at the beginning of the loop, this bombs.
"header" needs to be incremented to actually point to the beginning of
the IV.
I hope this is understandable. It took me a moment as well to
understand, how "from" in load_iv() relates to "header" in
PEM_get_EVP_CIPHER_INFO().
I checked the patch with the reproduction case before posting and also
added some debug logging to the "from" loop to double check.
Regards,
Rainer
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
