diff options
| author | Peter Wu <peter@lekensteyn.nl> | 2016-03-23 03:45:20 +0100 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2016-03-23 11:02:11 +0100 |
| commit | d3d7bdf8215275b3b20690dfde3f43dbe25b6f85 (patch) | |
| tree | 079a979c7cd0e1dd7f3c1562f2ab9c12e9e403e1 | |
| parent | d328095dd4de83b839d9d8c4bdbeec0956971016 (diff) | |
| download | libgcrypt-d3d7bdf8215275b3b20690dfde3f43dbe25b6f85.tar.gz | |
Fix buffer overrun in gettag for GCM
* cipher/cipher-gcm.c: copy a fixed length instead of the user-supplied
number.
--
The outbuflen is used to check the minimum size, the real tag is always
of fixed length.
Signed-off-by: Peter Wu <peter@lekensteyn.nl>
Actually this is not a buffer overrun because we copy not more than
has been allocated for OUTBUF. However a too long OUTBUFLEN accesses
data outside of the source buffer. -wk
| -rw-r--r-- | cipher/cipher-gcm.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c index d390ef84..cb81ea93 100644 --- a/cipher/cipher-gcm.c +++ b/cipher/cipher-gcm.c @@ -803,12 +803,12 @@ _gcry_cipher_gcm_tag (gcry_cipher_hd_t c, if (!check) { - memcpy (outbuf, c->u_mode.gcm.u_tag.tag, outbuflen); + memcpy (outbuf, c->u_mode.gcm.u_tag.tag, GCRY_GCM_BLOCK_LEN); return GPG_ERR_NO_ERROR; } else { - return buf_eq_const(outbuf, c->u_mode.gcm.u_tag.tag, outbuflen) ? + return buf_eq_const(outbuf, c->u_mode.gcm.u_tag.tag, GCRY_GCM_BLOCK_LEN) ? GPG_ERR_NO_ERROR : GPG_ERR_CHECKSUM; } |