[crypto] improve checks around RX packet size

Signed-off-by: Fabio M. Di Nitto <fdinitto@redhat.com>
kronosnet · Apr 20, 2018 · 458becf · 458becf
1 parent b5a655f
commit 458becf
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 5 deletions.
diff --git a/libknet/crypto_nss.c b/libknet/crypto_nss.c
@@ -426,6 +426,11 @@ static int decrypt_nss (
 	int		datalen = buf_in_len - SALT_SIZE;
 	int		err = -1;
 
+	if (datalen <= 0) {
+		log_err(knet_h, KNET_SUB_NSSCRYPTO, "Packet is too short");
+		goto out;
+	}
+
 	/* Create cipher context for decryption */
 	decrypt_param.type = siBuffer;
 	decrypt_param.data = salt;
@@ -466,7 +471,6 @@ static int decrypt_nss (
 	return err;
 }
 
-
 /*
  * hash/hmac/digest functions
  */
@@ -672,7 +676,7 @@ static int nsscrypto_authenticate_and_decrypt (
 		unsigned char tmp_hash[nsshash_len[instance->crypto_hash_type]];
 		ssize_t temp_buf_len = buf_in_len - nsshash_len[instance->crypto_hash_type];
 
-		if ((temp_buf_len < 0) || (temp_buf_len > KNET_MAX_PACKET_SIZE)) {
+		if ((temp_buf_len <= 0) || (temp_buf_len > KNET_MAX_PACKET_SIZE)) {
 			log_err(knet_h, KNET_SUB_NSSCRYPTO, "Incorrect packet size.");
 			return -1;
 		}

diff --git a/libknet/crypto_openssl.c b/libknet/crypto_openssl.c
@@ -229,14 +229,20 @@ static int decrypt_openssl (
 	ssize_t *buf_out_len)
 {
 	struct opensslcrypto_instance *instance = knet_h->crypto_instance->model_instance;
-	EVP_CIPHER_CTX	*ctx;
+	EVP_CIPHER_CTX	*ctx = NULL;
 	int		tmplen1 = 0, tmplen2 = 0;
 	unsigned char	*salt = (unsigned char *)buf_in;
 	unsigned char	*data = salt + SALT_SIZE;
 	int		datalen = buf_in_len - SALT_SIZE;
 	int		err = 0;
 	char		sslerr[SSLERR_BUF_SIZE];
 
+	if (datalen <= 0) {
+		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Packet is too short");
+		err = -1;
+		goto out;
+	}
+
 	ctx = EVP_CIPHER_CTX_new();
 
 	/*
@@ -266,7 +272,9 @@ static int decrypt_openssl (
 	*buf_out_len = tmplen1 + tmplen2;
 
 out:
-	EVP_CIPHER_CTX_free(ctx);
+	if (ctx) {
+		EVP_CIPHER_CTX_free(ctx);
+	}
 	return err;
 }
 #endif
@@ -366,7 +374,7 @@ static int opensslcrypto_authenticate_and_decrypt (
 		unsigned char tmp_hash[knet_h->sec_hash_size];
 		ssize_t temp_buf_len = buf_in_len - knet_h->sec_hash_size;
 
-		if ((temp_buf_len < 0) || (temp_buf_len > KNET_MAX_PACKET_SIZE)) {
+		if ((temp_buf_len <= 0) || (temp_buf_len > KNET_MAX_PACKET_SIZE)) {
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Incorrect packet size.");
 			return -1;
 		}