Skip to content

Avoid overflow in RC4 loop comparison #336

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 2, 2020
Merged

Avoid overflow in RC4 loop comparison #336

merged 1 commit into from
Jul 2, 2020

Conversation

fionn
Copy link
Contributor

@fionn fionn commented Jun 23, 2020

The rc4 function iterates over a buffer of size buffer_len who's maximum
value is INT_MAX with a counter of type short that is not guaranteed to
have maximum size INT_MAX.

In circumstances where short is narrower than int and where buffer_len
is larger than the maximum value of a short, it may be possible to loop
infinitely as counter will overflow and never be greater than or equal
to buffer_len.

The solution is to make the comparison be between types of equal width.
This commit defines counter as an int.

@fionn
Avoid buffer overflow in RC4 loop comparison
5fd0e8c 
The rc4 function iterates over a buffer of size buffer_len who's maximum
value is INT_MAX with a counter of type short that is not guaranteed to
have maximum size INT_MAX.

In circumstances where short is narrower than int and where buffer_len
is larger than the maximum value of a short, it may be possible to loop
infinitely as counter will overflow and never be greater than or equal
to buffer_len.

The solution is to make the comparison be between types of equal width.
This commit defines counter as an int.
@coveralls
Copy link

Coverage Status

Coverage remained the same at 89.145% when pulling 5fd0e8c on fionn:equal-width-comparison into d561177 on c-ares:master.

@bradh352 bradh352 merged commit 6d6cd5d into c-ares:master Jul 2, 2020
sergepetrenko pushed a commit to tarantool/c-ares that referenced this pull request Jul 29, 2022
@fionn @sergepetrenko
Avoid buffer overflow in RC4 loop comparison (c-ares#336)
fb2f9cd 
The rc4 function iterates over a buffer of size buffer_len who's maximum
value is INT_MAX with a counter of type short that is not guaranteed to
have maximum size INT_MAX.

In circumstances where short is narrower than int and where buffer_len
is larger than the maximum value of a short, it may be possible to loop
infinitely as counter will overflow and never be greater than or equal
to buffer_len.

The solution is to make the comparison be between types of equal width.
This commit defines counter as an int.

Fix By: Fionn Fitzmaurice (@fionn)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fionn @coveralls @bradh352