Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
80 lines (63 sloc) 1.82 KB
/* Example code for bug CVE-2016-1938 in mp_div()
* author: Hanno Böck, license: CC0 / public domain
*
* The nss library before 3.21 contained a bug in the division
* function mp_div(). On certain corner cases it will produce
* wrong results.
*
* The mp_ functions are not part of the public API, one needs
* to compile libmpi separately to test those functions.
*/
#include <stdio.h>
#define MP_IOFUNC 1
#include <mpi/mpi.h>
void check_div(char *as, char *bs)
{
mp_int a, b, res1, res2, res3, res4, res5;
mp_init(&a);
mp_init(&b);
mp_init(&res1);
mp_init(&res2);
mp_init(&res3);
mp_init(&res4);
mp_init(&res5);
mp_read_radix(&a, as, 16);
mp_read_radix(&b, bs, 16);
mp_div(&a, &b, &res1, &res2);
printf("div ");
mp_print(&res1, stdout);
printf("\nmod ");
mp_print(&res2, stdout);
printf("\n");
mp_mul(&b, &res1, &res3);
mp_add(&res3, &res2, &res4);
printf("This should match the original a value:\n");
mp_print(&res4, stdout);
printf("\n");
mp_sub(&res4, &a, &res5);
printf("This should be zero:\n");
mp_print(&res5, stdout);
printf("\n\n");
mp_clear(&a);
mp_clear(&b);
mp_clear(&res1);
mp_clear(&res2);
mp_clear(&res3);
mp_clear(&res4);
mp_clear(&res5);
}
int main()
{
check_div("10000000000000001000000000000000000000",
"10000000000000001001");
check_div
("801C4D3A9DE4691ADDBFC7D2D2DE2DA7114125A77FECE17FDA204B73FA3CDA4FF783AEE4453952BEF81DF7A9114125A700",
"801C4D3A9DE4691ADDBFC7D2D2DE2DA7114125A7CEF66E9B76BAC1");
check_div
("B7B7B7B7B7B7B7B7B7B7B7939393939393939393939393939393B7B7B7B7B7B70080FFFFC1B7BAB70001B7",
"B7B7B7B7B7B7B7B7B7B7C1B7BAB7DE00648B");
check_div
("BFC7D2E66986FFFCE1B4D2DEF82CBEF80000FADACE4B73F710AED25E000004001DE9BEF81DE91DE9A9556301F7A9551C",
"BFC7D2E66986FFFCE1B4D2DEF82CBEF81DE9A9556301F7A9551CBFC7D2E46986FFFCE1B4D2BAC1");
return 0;
}
You can’t perform that action at this time.