Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reading arbitrary stack memory in aes_gcm_openssl_set_aad() #44

Closed
ukreator opened this issue Mar 27, 2014 · 2 comments
Closed

Reading arbitrary stack memory in aes_gcm_openssl_set_aad() #44

ukreator opened this issue Mar 27, 2014 · 2 comments

Comments

@ukreator
Copy link
Contributor

OpenSSL function call at aes_gcm_ossl.c:261 can sometimes read more than is pointed by aad function argument. For example, if called from srtp.c:2415. In this case tseq is 4 bytes long, but 8 bytes is read.

Fix could be to use aad_len instead of c->tag_len when calling EVP_CIPHER_CTX_ctrl, but I'm not sure about it.
@jfigus
Copy link
Contributor

jfigus commented Mar 27, 2014

Based on my understanding of OpenSSL, this is benign. Line 261 is simply setting the tag length for the upcoming decrypt operation, which is specified by c->tag_len. While the OpenSSL code does read from memory pointed by by *aad, the data that is read is irrelevant. The true processing on *aad is done on line 263 during the call to EVP_Cipher(). This is one of the joys of working with the OpenSSL API. Work with it enough and one will learn to dislike it.

@jfigus
Copy link
Contributor

jfigus commented Oct 8, 2014

Closing this issue due to inactivity.

@jfigus jfigus closed this as completed Oct 8, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ukreator @jfigus