diff options
author | Nicolai Stange <nicstange@gmail.com> | 2016-03-22 13:12:42 +0100 |
---|---|---|
committer | Herbert Xu <herbert@gondor.apana.org.au> | 2016-04-05 20:35:49 +0800 |
commit | 462696fd0fd2aae2fd38d22d19b2d08a55606014 (patch) | |
tree | ec9191a5ed4157b3b372f43cea44374df5369c54 /lib/mpi | |
parent | 90f864e20029600a8dc33e27b1192af4636100d4 (diff) | |
download | op-kernel-dev-462696fd0fd2aae2fd38d22d19b2d08a55606014.zip op-kernel-dev-462696fd0fd2aae2fd38d22d19b2d08a55606014.tar.gz |
lib/mpi: mpi_read_buffer(): fix buffer overflow
Currently, mpi_read_buffer() writes full limbs to the output buffer
and moves memory around to purge leading zero limbs afterwards.
However, with
commit 9cbe21d8f89d ("lib/mpi: only require buffers as big as needed for
the integer")
the caller is only required to provide a buffer large enough to hold the
result without the leading zeros.
This might result in a buffer overflow for small MP numbers with leading
zeros.
Fix this by coping the result to its final destination within the output
buffer and not copying the leading zeros at all.
Fixes: 9cbe21d8f89d ("lib/mpi: only require buffers as big as needed for
the integer")
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'lib/mpi')
-rw-r--r-- | lib/mpi/mpicoder.c | 13 |
1 files changed, 3 insertions, 10 deletions
diff --git a/lib/mpi/mpicoder.c b/lib/mpi/mpicoder.c index a999ee1..d995a4c 100644 --- a/lib/mpi/mpicoder.c +++ b/lib/mpi/mpicoder.c @@ -201,16 +201,9 @@ int mpi_read_buffer(MPI a, uint8_t *buf, unsigned buf_len, unsigned *nbytes, #else #error please implement for this limb size. #endif - memcpy(p, &alimb, BYTES_PER_MPI_LIMB); - p += BYTES_PER_MPI_LIMB; - if (lzeros > 0) { - mpi_limb_t *limb1 = (void *)p - sizeof(alimb); - mpi_limb_t *limb2 = (void *)p - sizeof(alimb) - + lzeros; - *limb1 = *limb2; - p -= lzeros; - lzeros -= sizeof(alimb); - } + memcpy(p, (u8 *)&alimb + lzeros, BYTES_PER_MPI_LIMB - lzeros); + p += BYTES_PER_MPI_LIMB - lzeros; + lzeros = 0; } return 0; } |