From 6427f1accc54b515bb899370f1a662bfcb1caa52 Mon Sep 17 00:00:00 2001 From: Alexandru Moise Date: Tue, 7 Feb 2017 11:16:13 +0200 Subject: [PATCH 2/2] crypto/evp: harden AEAD ciphers. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Originally a crash in 32-bit build was reported CHACHA20-POLY1305 cipher. The crash is triggered by truncated packet and is result of excessive hashing to the edge of accessible memory. Since hash operation is read-only it is not considered to be exploitable beyond a DoS condition. Other ciphers were hardened. Thanks to Robert Święcki for report. CVE-2017-3731 Backported from upstream commit: 2198b3a55de681e1f3c23edb0586afe13f438051 Upstream-Status: Backport Reviewed-by: Rich Salz Signed-off-by: Alexandru Moise --- crypto/evp/e_aes.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index 1734a82..16dcd10 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -1235,10 +1235,15 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1]; /* Correct length for explicit IV */ + if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN) + return 0; len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; /* If decrypting correct for tag too */ - if (!c->encrypt) + if (!c->encrypt) { + if (len < EVP_GCM_TLS_TAG_LEN) + return 0; len -= EVP_GCM_TLS_TAG_LEN; + } c->buf[arg - 2] = len >> 8; c->buf[arg - 1] = len & 0xff; } -- 2.10.2