Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Fix mock_crypto_pk_public_checksig__nocheck() to handle short RSA keys

This function -- a mock replacement used only for fuzzing -- would
have a buffer overflow if it got an RSA key whose modulus was under
20 bytes long.

Fortunately, Tor itself does not appear to have a bug here.

Fixes bug 24247; bugfix on 0.3.0.3-alpha when fuzzing was
introduced.  Found by OSS-Fuzz; this is OSS-Fuzz issue 4177.
Nick Mathewson 6 years ago
parent
512dfa15ed
commit
a7ca71cf6b
2 changed files with 9 additions and 2 deletions
Split View Show Diff Stats
  1. 6 0
      changes/bug24247
  2. 3 2
      src/test/fuzz/fuzzing_common.c

+ 6 - 0
changes/bug24247
View File 

@@ -0,0 +1,6 @@
 
+  o Minor bugfixes (fuzzing):
 
+    - Fix a bug in our fuzzing mock replacement for crypto_pk_checksig(), to
 
+      correctly handle cases where a caller gives it an RSA key of under 160
 
+      bits. (This is not actually a bug in Tor itself, but wrather in our
 
+      fuzzing code.)  Fixes bug 24247; bugfix on 0.3.0.3-alpha.
 
+      Found by OSS-Fuzz as issue 4177.

+ 3 - 2
src/test/fuzz/fuzzing_common.c
View File 

@@ -28,8 +28,9 @@ mock_crypto_pk_public_checksig__nocheck(const crypto_pk_t *env, char *to,
 
   (void)fromlen;
 
   /* We could look at from[0..fromlen-1] ... */
 
   tor_assert(tolen >= crypto_pk_keysize(env));
 
-  memset(to, 0x01, 20);
 
-  return 20;
 
+  size_t siglen = MIN(20, crypto_pk_keysize(env));
 
+  memset(to, 0x01, siglen);
 
+  return (int)siglen;
 
 }
 
 
 static int