On 8/20/2013 8:49 PM, Arthur Mesh wrote:
I am not 100% sure this is a real bug, hence mailing openssl-users
instead of rt@.
641 if (is_sslv3)
642 {
<snip>
647 unsigned overhang =
header_length-md_block_size;
648 md_transform(md_state.c, header);
649 memcpy(first_block, header +
md_block_size, overhang);
My suspicion lies in line 649, where we're copying overhang number of
bytes
from (header + md_block_size). I believe that copying from (header +
md_block_size) is out-of-bound access (overrun).
header is an array of 13 unsigned chars, and md_block_size == 64 (or
128 in some
cases). Hence (header + md_block_size) points outside of header[13].
Assuming
overhang > 0, by doing a memcpy(), we have a problem, no?
I think you got this partially wrong.
If sizeof(header) == header_length &&
header_length >= md_block_size &&
sizeof(first_block) >= header_length - md_block_size
then the above code will not overflow.
But:
If header_length < md_block_size
then
This code will massively overflow and crash, as it tries to copy
almost MAX_UNSIGNED_INT bytes
If sizeof(first_block) < header_length - md_block_size
then
This code will overflow first_block.
I sure hope there is code in there which checks the validity of the two
inequalities, either directly or by only using hardcoded known good
values for those parameters.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
