-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[PW_SID:810745] dpp: fix data corruption around prf_plus() call #286
base: workflow
Are you sure you want to change the base?
Conversation
This is taken care of by the individual cache items and if none exist, tar fails.
Without the change test-dpp fails on aarch64-linux as: $ unit/test-dpp TEST: DPP test responder-only key derivation TEST: DPP test mutual key derivation TEST: DPP test PKEX key derivation test-dpp: unit/test-dpp.c:514: test_pkex_key_derivation: Assertion `!memcmp(tmp, __tmp, 32)' failed. This happens due to int/size_t type mismatch passed to vararg parameters to prf_plus(): bool prf_plus(enum l_checksum_type type, const void *key, size_t key_len, void *out, size_t out_len, size_t n_extra, ...) { // ... va_start(va, n_extra); for (i = 0; i < n_extra; i++) { iov[i + 1].iov_base = va_arg(va, void *); iov[i + 1].iov_len = va_arg(va, size_t); // ... Note that varargs here could only be a sequence of `void *` / `size_t` values. But in src/dpp-util.c `iwd` attempted to pass `int` there: prf_plus(sha, prk, bytes, z_out, bytes, 5, mac_i, 6, // <- here mac_r, 6, // <- and here m_x, bytes, n_x, bytes, key, strlen(key)); aarch64 stores only 32-bit value part of the register: mov w7, #0x6 str w7, [sp, #...] and loads full 64-bit form of the register: ldr x3, [x3] As a result higher bits of `iov[].iov_len` contain unexpected values and sendmsg sends a lot more data than expected to the kernel. The change fixes test-dpp test for me. While at it fixed obvious `int` / `size_t` mismatch in src/erp.c.
Fetch PR Make Distcheck Build - Configure Make Check Make Check w/Valgrind Incremental Build with patches |
Fetch PR GitLint Output:
Make Distcheck Build - Configure Make Check Make Check w/Valgrind Incremental Build with patches Autotest Runner Clang Build |
a6b078e
to
1c88fa1
Compare
d7c5f62
to
2526ce4
Compare
c08a6fa
to
1106532
Compare
263e09e
to
a7e34e0
Compare
cf3bcb6
to
46b3556
Compare
46b3556
to
71b4ca4
Compare
9eef0d5
to
d3b4175
Compare
68c71d2
to
43f4327
Compare
4170bb4
to
c067bc7
Compare
f10f2fc
to
c2be9ec
Compare
ebbbc93
to
089fa9a
Compare
2192e98
to
43a07cc
Compare
2c7b52e
to
58d64d4
Compare
f7c5ee3
to
38fe7c3
Compare
Without the change test-dpp fails on aarch64-linux as:
This happens due to int/size_t type mismatch passed to vararg
parameters to prf_plus():
Note that varargs here could only be a sequence of
void *
/size_t
values.
But in src/dpp-util.c
iwd
attempted to passint
there:prf_plus(sha, prk, bytes, z_out, bytes, 5,
mac_i, 6, // <- here
mac_r, 6, // <- and here
m_x, bytes,
n_x, bytes,
key, strlen(key));
aarch64 stores only 32-bit value part of the register:
and loads full 64-bit form of the register:
As a result higher bits of
iov[].iov_len
contain unexpected values andsendmsg sends a lot more data than expected to the kernel.
The change fixes test-dpp test for me.
While at it fixed obvious
int
/size_t
mismatch in src/erp.c.src/dpp-util.c | 5 +++--
src/erp.c | 2 +-
2 files changed, 4 insertions(+), 3 deletions(-)