* Possible bit/byte conversion mistake in xfrm_state.c
@ 2013-11-22 14:54 Marksteiner, Stefan
2013-11-24 11:54 ` Fan Du
0 siblings, 1 reply; 2+ messages in thread
From: Marksteiner, Stefan @ 2013-11-22 14:54 UTC (permalink / raw)
To: netdev
[-- Attachment #1: Type: text/plain, Size: 860 bytes --]
Hi folks,
I might have found a little bit/byte mistake in xfrm_state.c of
iproute2-3.11.0 (and also lower versions).
In line 169 the algorithm length is set correctly ("alg->alg_key_len =
len * 8;") in bits (as it is supposed by /usr/include/linux/xfrm.h, line
101), but later in line 496 the same value is read and added to a length
value in bytes ("len += alg.u.alg.alg_key_len;").
I'm not completetly sure, but I'm wondering if this might lead to errors
for algorithms with big key sizes (>2048 bits) for the key buffer
("char buf[RTA_BUF_SIZE]" in line 274) reserves only 2048 bytes of
memory (RTA_BUF_SIZE=2048). So taking bits for bytes, the following
memcopy operation may overwrite adjacent memory areas.
Can somebody verify if this is in fact an issue? Maybe I'm reading this
whole stuff wrong.
Cheers,
Stefan
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4282 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Possible bit/byte conversion mistake in xfrm_state.c
2013-11-22 14:54 Possible bit/byte conversion mistake in xfrm_state.c Marksteiner, Stefan
@ 2013-11-24 11:54 ` Fan Du
0 siblings, 0 replies; 2+ messages in thread
From: Fan Du @ 2013-11-24 11:54 UTC (permalink / raw)
To: Marksteiner, Stefan; +Cc: netdev
Please wrap the line in shorter length ;)
On 2013年11月22日 22:54, Marksteiner, Stefan wrote:
> Hi folks,
>
> I might have found a little bit/byte mistake in xfrm_state.c of iproute2-3.11.0 (and also lower versions).
>
> In line 169 the algorithm length is set correctly ("alg->alg_key_len = len * 8;") in bits (as it is supposed by /usr/include/linux/xfrm.h, line 101), but later in line 496 the same value is read and added to a length value in bytes ("len += alg.u.alg.alg_key_len;").
>
> I'm not completetly sure, but I'm wondering if this might lead to errors for algorithms with big key sizes (>2048 bits) for the key buffer ("char buf[RTA_BUF_SIZE]" in line 274) reserves only 2048 bytes of memory (RTA_BUF_SIZE=2048). So taking bits for bytes, the following memcopy operation may overwrite adjacent memory areas.
>
> Can somebody verify if this is in fact an issue? Maybe I'm reading this whole stuff wrong.
You are totally right about this bit/byte mistake here.
Normally the aes key len is 128bits, and 160bits for sha1, and
the key buf defined here is XFRM_ALGO_KEY_BUF_SIZE 512 bytes,
so there are stale data append after each key content, although
is not used by key interface anyway, which means the IPsec
communication goes well after all.
--
浮沉随浪只记今朝笑
--fan fan
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-11-24 11:52 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-11-22 14:54 Possible bit/byte conversion mistake in xfrm_state.c Marksteiner, Stefan
2013-11-24 11:54 ` Fan Du
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).