From e810545dc2ae158745624c1575b76c55f883c892 Mon Sep 17 00:00:00 2001 From: Guus Sliepen Date: Fri, 3 Jun 2005 10:16:03 +0000 Subject: [PATCH] Prevent possible buffer overflows when using very large (>= 8192 bit) RSA keys. Thanks to Tonnerre Lombard for noticing! --- THANKS | 1 + src/protocol.h | 7 +++++-- src/protocol_auth.c | 8 ++++++-- src/protocol_key.c | 3 ++- 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/THANKS b/THANKS index 8210465b..2f097d6a 100644 --- a/THANKS +++ b/THANKS @@ -23,6 +23,7 @@ We would like to thank the following people for their contributions to tinc: * Paul Littlefield * Robert van der Meulen * Teemu Kiviniemi +* Tonnerre Lombard * Wessel Dankers * Wouter van Heyst diff --git a/src/protocol.h b/src/protocol.h index 100543a1..d6a35be7 100644 --- a/src/protocol.h +++ b/src/protocol.h @@ -56,9 +56,12 @@ typedef struct past_request_t { extern bool tunnelserver; -/* Maximum size of strings in a request */ +/* Maximum size of strings in a request. + * scanf terminates %2048s with a NUL character, + * but the NUL character can be written after the 2048th non-NUL character. + */ -#define MAX_STRING_SIZE 2048 +#define MAX_STRING_SIZE 2049 #define MAX_STRING "%2048s" #include "edge.h" diff --git a/src/protocol_auth.c b/src/protocol_auth.c index 8d4b0329..c44c6d01 100644 --- a/src/protocol_auth.c +++ b/src/protocol_auth.c @@ -118,7 +118,7 @@ bool id_h(connection_t *c) bool send_metakey(connection_t *c) { - char buffer[MAX_STRING_SIZE]; + char *buffer; int len; bool x; @@ -128,6 +128,8 @@ bool send_metakey(connection_t *c) /* Allocate buffers for the meta key */ + buffer = alloca(2 * len + 1); + if(!c->outkey) c->outkey = xmalloc(len); @@ -302,7 +304,7 @@ bool metakey_h(connection_t *c) bool send_challenge(connection_t *c) { - char buffer[MAX_STRING_SIZE]; + char *buffer; int len; cp(); @@ -313,6 +315,8 @@ bool send_challenge(connection_t *c) /* Allocate buffers for the challenge */ + buffer = alloca(2 * len + 1); + if(!c->hischallenge) c->hischallenge = xmalloc(len); diff --git a/src/protocol_key.c b/src/protocol_key.c index a56ff919..e393dd64 100644 --- a/src/protocol_key.c +++ b/src/protocol_key.c @@ -142,10 +142,11 @@ bool req_key_h(connection_t *c) bool send_ans_key(connection_t *c, const node_t *from, const node_t *to) { - char key[MAX_STRING_SIZE]; + char *key; cp(); + key = alloca(2 * from->keylength + 1); bin2hex(from->key, key, from->keylength); key[from->keylength * 2] = '\0';