« Return to Thread: Potential int overflow in src/sbin/bioctl/pbkdf2.c

Potential int overflow in src/sbin/bioctl/pbkdf2.c

by Andrew Nelless :: Rate this Message:

Hi,

The range checking of the salt length (salt_len) in pkcs5_pbkdf2() on
line 90 of src/sbin/bioctl/pbkdf2.c is a bit off:

90: if (salt_len == 0 || salt_len > SIZE_MAX - 1)
91: return -1;
92: if ((asalt = malloc(salt_len + 4)) == NULL)
94: return -1;

If (SIZE_MAX - 2) is passed to this function "asalt" will be
malloc(1)'d and the subsequent memcpy on line 95 will segfault.
This has no impact to bioctl but this implementation is linked to from
the PBKDF2 Wikipedia article, and may be copied and used by others.

Regards,

Andrew

« Return to Thread: Potential int overflow in src/sbin/bioctl/pbkdf2.c