rpms / freerdp

Clone
Source Code
GIT

Blame SOURCES/Fixed-GHSL-2020-102-heap-overflow.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   8b16a4dc7d4dabe4831a1a49d33484e2796a6b5d
  2.   SOURCES
  3.   Fixed-GHSL-2020-102-heap-overflow.patch
Blob History Raw
8b16a4 
From 0d468aacfc2c14b904896d9d7ee2cd07bf7c6004 Mon Sep 17 00:00:00 2001
8b16a4 
From: akallabeth <akallabeth@posteo.net>
8b16a4 
Date: Tue, 19 May 2020 07:41:14 +0200
8b16a4 
Subject: [PATCH] Fixed  GHSL-2020-102 heap overflow
8b16a4
8b16a4 
(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)
8b16a4 
---
8b16a4 
 libfreerdp/crypto/crypto.c | 41 ++++++++++++++++++++++++++++----------
8b16a4 
 1 file changed, 30 insertions(+), 11 deletions(-)
8b16a4
8b16a4 
diff --git a/libfreerdp/crypto/crypto.c b/libfreerdp/crypto/crypto.c
8b16a4 
index 39875f74d..10d430a82 100644
8b16a4 
--- a/libfreerdp/crypto/crypto.c
8b16a4 
+++ b/libfreerdp/crypto/crypto.c
8b16a4 
@@ -96,13 +96,24 @@ exit:
8b16a4 
 static int crypto_rsa_common(const BYTE* input, int length, UINT32 key_length, const BYTE* modulus,
8b16a4 
                              const BYTE* exponent, int exponent_size, BYTE* output)
8b16a4 
 {
8b16a4 
-	BN_CTX* ctx;
8b16a4 
+	BN_CTX* ctx = NULL;
8b16a4 
 	int output_length = -1;
8b16a4 
-	BYTE* input_reverse;
8b16a4 
-	BYTE* modulus_reverse;
8b16a4 
-	BYTE* exponent_reverse;
8b16a4 
-	BIGNUM* mod, *exp, *x, *y;
8b16a4 
-	input_reverse = (BYTE*) malloc(2 * key_length + exponent_size);
8b16a4 
+	BYTE* input_reverse = NULL;
8b16a4 
+	BYTE* modulus_reverse = NULL;
8b16a4 
+	BYTE* exponent_reverse = NULL;
8b16a4 
+	BIGNUM* mod = NULL;
8b16a4 
+	BIGNUM* exp = NULL;
8b16a4 
+	BIGNUM* x = NULL;
8b16a4 
+	BIGNUM* y = NULL;
8b16a4 
+	size_t bufferSize = 2 * key_length + exponent_size;
8b16a4 
+
8b16a4 
+	if (!input || (length < 0) || (exponent_size < 0) || !modulus || !exponent || !output)
8b16a4 
+		return -1;
8b16a4 
+
8b16a4 
+	if (length > bufferSize)
8b16a4 
+		bufferSize = length;
8b16a4 
+
8b16a4 
+	input_reverse = (BYTE*)calloc(bufferSize, 1);
8b16a4
8b16a4 
 	if (!input_reverse)
8b16a4 
 		return -1;
8b16a4 
@@ -131,16 +142,24 @@ static int crypto_rsa_common(const BYTE* input, int length, UINT32 key_length, c
8b16a4 
 	if (!(y = BN_new()))
8b16a4 
 		goto fail_bn_y;
8b16a4
8b16a4 
-	BN_bin2bn(modulus_reverse, key_length, mod);
8b16a4 
-	BN_bin2bn(exponent_reverse, exponent_size, exp);
8b16a4 
-	BN_bin2bn(input_reverse, length, x);
8b16a4 
-	BN_mod_exp(y, x, exp, mod, ctx);
8b16a4 
+	if (!BN_bin2bn(modulus_reverse, key_length, mod))
8b16a4 
+		goto fail;
8b16a4 
+
8b16a4 
+	if (!BN_bin2bn(exponent_reverse, exponent_size, exp))
8b16a4 
+		goto fail;
8b16a4 
+	if (!BN_bin2bn(input_reverse, length, x))
8b16a4 
+		goto fail;
8b16a4 
+	if (BN_mod_exp(y, x, exp, mod, ctx) != 1)
8b16a4 
+		goto fail;
8b16a4 
 	output_length = BN_bn2bin(y, output);
8b16a4 
+	if (output_length < 0)
8b16a4 
+		goto fail;
8b16a4 
 	crypto_reverse(output, output_length);
8b16a4
8b16a4 
-	if (output_length < (int) key_length)
8b16a4 
+	if (output_length < key_length)
8b16a4 
 		memset(output + output_length, 0, key_length - output_length);
8b16a4
8b16a4 
+fail:
8b16a4 
 	BN_free(y);
8b16a4 
 fail_bn_y:
8b16a4 
 	BN_clear_free(x);
8b16a4 
--
8b16a4 
2.26.2
8b16a4

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation