search

Yubico / yubikey-personalization

YubiKey Personalization cross-platform library and tool
https://developers.yubico.com/yubikey-personalization/
BSD 2-Clause "Simplified" License
297 stars 83 forks source link

Tighten the salt_len check to avoid a potential stack buf overwrite f… #142

Closed nevun closed 5 years ago

nevun commented 5 years ago

…urther down.

If salt_len was 256:

 for (block_count = 1; block_count <= l; block_count++) {
                unsigned char block[256]; /* A big chunk, that's 2048 bits */
[ ... ]

                memcpy(block, salt, salt_len);
                block[salt_len + 0] = (block_count & 0xff000000) >> 24;
                block[salt_len + 1] = (block_count & 0x00ff0000) >> 16;
                block[salt_len + 2] = (block_count & 0x0000ff00) >>  8;
                block[salt_len + 3] = (block_count & 0x000000ff) >>  0;

block[256] is outside the buffer and then the next lines would overwrite 3 more bytes