2
0

Fix AES padding not removed if % AES_BLOCKSIZE.

Don't memcpy beyond src buffer size in strcpy implementation.

Technically safe since the buffer overrun was replaced by NUL, but act
can trigger memory safety features.
This commit is contained in:
Maarten Billemont 2020-01-07 15:54:34 -05:00
parent f999e75ebe
commit 6832c05138

View File

@ -395,7 +395,6 @@ uint8_t const *mpw_hash_hmac_sha256(const uint8_t *key, const size_t keySize, co
return mac; return mac;
} }
// We do our best to not fail on odd buf's, eg. non-padded cipher texts.
static uint8_t const *mpw_aes(bool encrypt, const uint8_t *key, const size_t keySize, const uint8_t *buf, size_t *bufSize) { static uint8_t const *mpw_aes(bool encrypt, const uint8_t *key, const size_t keySize, const uint8_t *buf, size_t *bufSize) {
if (!key || keySize < AES_BLOCKLEN || !bufSize || !*bufSize) if (!key || keySize < AES_BLOCKLEN || !bufSize || !*bufSize)
@ -431,7 +430,7 @@ static uint8_t const *mpw_aes(bool encrypt, const uint8_t *key, const size_t key
// Truncate PKCS#7 padding // Truncate PKCS#7 padding
if (encrypt) if (encrypt)
*bufSize = aesSize; *bufSize = aesSize;
else if (*bufSize % AES_BLOCKLEN == 0 && resultBuf[aesSize - 1] < AES_BLOCKLEN) else if (resultBuf[aesSize - 1] <= AES_BLOCKLEN)
*bufSize -= resultBuf[aesSize - 1]; *bufSize -= resultBuf[aesSize - 1];
return resultBuf; return resultBuf;
@ -596,7 +595,7 @@ const uint8_t *mpw_unhex(const char *hex) {
mpw_free( &buf, bytes ); mpw_free( &buf, bytes );
return NULL; return NULL;
} }
return buf; return buf;
} }
@ -654,8 +653,9 @@ char *mpw_strndup(const char *src, const size_t max) {
size_t len = 0; size_t len = 0;
for (; len < max && src[len] != '\0'; ++len); for (; len < max && src[len] != '\0'; ++len);
char *dst = mpw_memdup( src, len + 1 ); char *dst = calloc( len + 1, sizeof( char ) );
dst[len] = '\0'; if (dst)
memcpy( dst, src, len );
return dst; return dst;
} }