Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid overflow in RC4 loop comparison #336

Merged
merged 1 commit into from
Jul 2, 2020
Merged

Avoid overflow in RC4 loop comparison #336

merged 1 commit into from
Jul 2, 2020

Conversation

fionn
Copy link
Contributor

@fionn fionn commented Jun 23, 2020

The rc4 function iterates over a buffer of size buffer_len who's maximum
value is INT_MAX with a counter of type short that is not guaranteed to
have maximum size INT_MAX.

In circumstances where short is narrower than int and where buffer_len
is larger than the maximum value of a short, it may be possible to loop
infinitely as counter will overflow and never be greater than or equal
to buffer_len.

The solution is to make the comparison be between types of equal width.
This commit defines counter as an int.

The rc4 function iterates over a buffer of size buffer_len who's maximum
value is INT_MAX with a counter of type short that is not guaranteed to
have maximum size INT_MAX.

In circumstances where short is narrower than int and where buffer_len
is larger than the maximum value of a short, it may be possible to loop
infinitely as counter will overflow and never be greater than or equal
to buffer_len.

The solution is to make the comparison be between types of equal width.
This commit defines counter as an int.
@coveralls
Copy link

Coverage Status

Coverage remained the same at 89.145% when pulling 5fd0e8c on fionn:equal-width-comparison into d561177 on c-ares:master.

@bradh352 bradh352 merged commit 6d6cd5d into c-ares:master Jul 2, 2020
eriklax pushed a commit to halon/c-ares that referenced this pull request Aug 22, 2020
The rc4 function iterates over a buffer of size buffer_len who's maximum
value is INT_MAX with a counter of type short that is not guaranteed to
have maximum size INT_MAX.

In circumstances where short is narrower than int and where buffer_len
is larger than the maximum value of a short, it may be possible to loop
infinitely as counter will overflow and never be greater than or equal
to buffer_len.

The solution is to make the comparison be between types of equal width.
This commit defines counter as an int.

Fix By: Fionn Fitzmaurice (@fionn)
sergepetrenko pushed a commit to tarantool/c-ares that referenced this pull request Jul 29, 2022
The rc4 function iterates over a buffer of size buffer_len who's maximum
value is INT_MAX with a counter of type short that is not guaranteed to
have maximum size INT_MAX.

In circumstances where short is narrower than int and where buffer_len
is larger than the maximum value of a short, it may be possible to loop
infinitely as counter will overflow and never be greater than or equal
to buffer_len.

The solution is to make the comparison be between types of equal width.
This commit defines counter as an int.

Fix By: Fionn Fitzmaurice (@fionn)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants