You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@santuario.apache.org by "Scott Cantor (JIRA)" <ji...@apache.org> on 2015/01/29 03:04:34 UTC

[jira] [Updated] (SANTUARIO-400) Buffer overwrite in WinCAPICryptoSymmetricKey::encrypt() (WinCAPICryptoSymmetricKey.cpp)

     [ https://issues.apache.org/jira/browse/SANTUARIO-400?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Scott Cantor updated SANTUARIO-400:
-----------------------------------
    Fix Version/s:     (was: C++ 1.7.2)

> Buffer overwrite in WinCAPICryptoSymmetricKey::encrypt() (WinCAPICryptoSymmetricKey.cpp)
> ----------------------------------------------------------------------------------------
>
>                 Key: SANTUARIO-400
>                 URL: https://issues.apache.org/jira/browse/SANTUARIO-400
>             Project: Santuario
>          Issue Type: Bug
>          Components: C++
>    Affects Versions: C++ 1.7.0, C++ 1.7.1, C++ 1.7.2
>         Environment: Windows 7, VS2010 SP1
>            Reporter: Serge Lalonde
>            Assignee: Scott Cantor
>            Priority: Critical
>
> If the size of an Xml file being encrypted is 2KB + N, where N is a value less than m_blockSize, WinCAPICryptoSymmetricKey::encrypt() will generate a buffer overwrite at two locations, the second of which will cause a crash. Note that the 2 KB is the input buffer size.
> This happens because of a signed/unsigned overflow because the local variable "rounding" is greater than the method argument "inLength".
> Here are the locations where the overwrites occur:
> 1. line 558
>    memcpy(m_lastBlock, &inBuf[inLength - rounding], rounding);
> 2. line 562 (causes a crash)
>    memcpy(bufPtr, inBuf, inLength - rounding);
> There is a comment in the code that references that a fix was added to this method for bug 38365, which references very small inputs (which I presume means very small Xml files). Here's the patch in question:
> 	/* As per bug #38365 - we need to ensure there are enough characters to encrypt.
> 	   Otherwise we get some nasty errors due to rounding calculations when inputs
> 	   are too small */
> 	if (m_bytesInLastBlock + inLength < m_blockSize) {
> 		// Not enough input data
> 		memcpy(&m_lastBlock[m_bytesInLastBlock], inBuf, inLength);
> 		m_bytesInLastBlock += inLength;
> 		// Just in case we have returned an IV
> 		return outl;
> 	}
> In fact, this fix can be generalized easily to fix my problem also, since the if condition should really be
> 	if (inLength < m_blockSize) {
> since for very small inputs, m_bytesInLastBlock will be 0 anyway. This change allow the early return to be executed in both instances and avoids the overflow which gives a very large number and causes the crash.
> I've tested this fix in 1.7.2 and it works properly. If it could get implemented in the main code branch, that would be great.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)