added checks to avoid overflows caused by user supplied field sizes

2025-12-17 03:50:57 +01:00 · 2015-06-26 11:13:03 +02:00
parent 9b3202df5c
commit 0dbf5df943
2 changed files with 37 additions and 16 deletions
--- a/libpcp/crypto.c
+++ b/libpcp/crypto.c
@@ -145,7 +145,7 @@ size_t pcp_decrypt_stream(PCPCTX *ptx, Pcpstream *in, Pcpstream* out, pcp_key_t
  else {
    /*  step 1, check header */
    cur_bufsize = ps_read(in, head, 1); /* fread(head, 1, 1, in); */
-    if(cur_bufsize != 1 && !ps_end(in) && !ps_err(in)) {
+    if(cur_bufsize == 1 && !ps_end(in) && !ps_err(in)) {
      if(head[0] == PCP_SYM_CIPHER) {
 	if(symkey != NULL)
 	  self = 1;
@@ -206,7 +206,8 @@ size_t pcp_decrypt_stream(PCPCTX *ptx, Pcpstream *in, Pcpstream* out, pcp_key_t
  for(nrec=0; nrec<lenrec; nrec++) {
    cur_bufsize = ps_read(in, rec_buf, PCP_ASYM_RECIPIENT_SIZE);
    if(cur_bufsize != PCP_ASYM_RECIPIENT_SIZE && !ps_end(in) && !ps_err(in)) {
-      fatal(ptx, "Error: input file corrupted, incomplete or no recipients (got %ld, exp %ld)\n", cur_bufsize, PCP_ASYM_RECIPIENT_SIZE );
+      fatal(ptx, "Error: input file corrupted, incomplete or no recipients (got %ld, exp %ld)\n",
+	    cur_bufsize, PCP_ASYM_RECIPIENT_SIZE );
      ucfree(rec_buf, PCP_ASYM_RECIPIENT_SIZE);
      goto errdef1;
    }
@@ -692,6 +693,12 @@ uint64_t _get_nonce_ctr(byte *nonce) {
  uint16_t m16 = 0;
  uint32_t m32 = 0;

+  if(i > 16) {
+    /* counter bigger than max allowed by protocol, could lead to overflow, therefore die hard here */
+    fprintf(stderr, "invalid counter size %d!", i);
+    abort();
+  }
+  
  switch(i) {
  case 1:
    ctr = nonce[1];
--- a/libpcp/mgmt.c
+++ b/libpcp/mgmt.c
@@ -70,6 +70,9 @@ int _check_keysig_h(PCPCTX *ptx, Buffer *blob, rfc_pub_sig_h *h) {
 }

 int _check_sigsubs(PCPCTX *ptx, Buffer *blob, pcp_pubkey_t *p, rfc_pub_sig_s *subheader) {
+  uint16_t nsize, vsize;
+  char *notation = NULL;
+  
  if(subheader->size > buffer_left(blob)) {
    fatal(ptx, "Invalid header size %ld specified in source\n", subheader->size);
    return 1;
@@ -77,44 +80,44 @@ int _check_sigsubs(PCPCTX *ptx, Buffer *blob, pcp_pubkey_t *p, rfc_pub_sig_s *su

  if(subheader->type == EXP_SIG_SUB_NOTATION) {
    /* mail or owner */
-    uint16_t nsize = buffer_get16na(blob);
-    uint16_t vsize = buffer_get16na(blob);
-
-    char *notation = ucmalloc(nsize+1);
+    nsize = buffer_get16na(blob);
+    vsize = buffer_get16na(blob);

    if(nsize >  buffer_left(blob)) {
      fatal(ptx, "Invalid notation size %ld specified in source\n", nsize);
      return 1;
    }

+    notation = ucmalloc(nsize+1);
+
    if(buffer_get_chunk(blob, notation, nsize) == 0) {
      fatal(ptx, "Invalid notation size, expected %ld bytes, but got 0\n", nsize);
-      return 1;
+      goto sgcerr;
    }

    notation[nsize] = '\0';

-    if(vsize >  buffer_left(blob)) {
+    if(vsize >  buffer_left(blob) || vsize > 255) {
      fatal(ptx, "Invalid notation value size %ld specified in source\n", vsize);
-      return 1;
+      goto sgcerr;
    }

    if(strncmp(notation, "owner", 5) == 0) {
      if(buffer_get_chunk(blob, p->owner, vsize) == 0) {
 	fatal(ptx, "Invalid 'owner' notation, expected %ld bytes, but got 0\n", vsize);
-	return 1;
+	goto sgcerr;
      }
    }
    else if(strncmp(notation, "mail", 4) == 0) {
      if(buffer_get_chunk(blob, p->mail, vsize) == 0) {
 	fatal(ptx, "Invalid 'mail' notation, expected %ld bytes, but got 0\n", vsize);
-	return 1;
+	goto sgcerr;
      }
    }
    else if(strncmp(notation, "serial", 6) == 0) {
      p->serial = buffer_get32na(blob);
    }
-    ucfree(notation, nsize);
+    ucfree(notation, nsize+1);
  }
  else {
    /* unsupported or ignored sig subs:
@@ -129,8 +132,11 @@ int _check_sigsubs(PCPCTX *ptx, Buffer *blob, pcp_pubkey_t *p, rfc_pub_sig_s *su
    }
  }

-
  return 0;
+
+ sgcerr:
+  ucfree(notation, nsize+1);
+  return 1;
 }

 int _check_hash_keysig(PCPCTX *ptx, Buffer *blob, pcp_pubkey_t *p, pcp_keysig_t *sk) {
@@ -814,7 +820,7 @@ pcp_key_t *pcp_import_secret_native(PCPCTX *ptx, Buffer *cipher, char *passphras
  byte *symkey = NULL;
  byte *clear = NULL;
  size_t cipherlen = 0;
-  size_t minlen = (64 * 2) + (32 * 4) + 8 + 4 + 4;
+  size_t minlen = (64 * 2) + (32 * 4) + 8 + 4 + 4; /* key material and mandatory field sizes */
  uint16_t notationlen = 0;

  Buffer *blob = buffer_new(512, "secretdecryptbuf");
@@ -853,11 +859,19 @@ pcp_key_t *pcp_import_secret_native(PCPCTX *ptx, Buffer *cipher, char *passphras
  buffer_get_chunk(blob, sk->edpub, 32);

  notationlen = buffer_get16na(blob);
-  if(notationlen > 0)
+  if(notationlen > 255) {
+    fatal(ptx, "Invalid notation value size for owner\n");
+    goto impserr2;
+  }
+  else if(notationlen > 0)
    buffer_get_chunk(blob, sk->owner, notationlen);

  notationlen = buffer_get16na(blob);
-  if(notationlen > 0)
+  if(notationlen > 255) {
+    fatal(ptx, "Invalid notation value size for mail\n");
+    goto impserr2;
+  }
+  else if(notationlen > 0)
    buffer_get_chunk(blob, sk->mail, notationlen);

  if(buffer_done(blob) == 1)