From 2f6d0c006c3ffc8ea89cc8409a1b9525f833f184 Mon Sep 17 00:00:00 2001 From: Milan Broz Date: Sun, 25 Nov 2018 10:55:28 +0100 Subject: [PATCH] Check for algorithms string lengths in crypt_cipher_check(). The kernel check will fail anyway if string is truncated, but this make some compilers more happy. --- lib/crypto_backend/crypto_cipher_kernel.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/lib/crypto_backend/crypto_cipher_kernel.c b/lib/crypto_backend/crypto_cipher_kernel.c index 1e43b23c..0684254e 100644 --- a/lib/crypto_backend/crypto_cipher_kernel.c +++ b/lib/crypto_backend/crypto_cipher_kernel.c @@ -203,7 +203,8 @@ int crypt_cipher_check(const char *name, const char *mode, const char *integrity, size_t key_length) { struct crypt_cipher *c = NULL; - char mode_name[64], *real_mode = NULL, *cipher_iv = NULL, *key, *salg_type; + char mode_name[64], tmp_salg_name[180], *real_mode = NULL, *cipher_iv = NULL, *key; + const char *salg_type; bool aead; int r; struct sockaddr_alg sa = { @@ -225,16 +226,22 @@ int crypt_cipher_check(const char *name, const char *mode, salg_type = aead ? "aead" : "skcipher"; snprintf((char *)sa.salg_type, sizeof(sa.salg_type), "%s", salg_type); + memset(tmp_salg_name, 0, sizeof(tmp_salg_name)); /* FIXME: this is duplicating a part of devmapper backend */ if (aead && !strcmp(integrity, "poly1305")) - snprintf((char *)sa.salg_name, sizeof(sa.salg_name), "rfc7539(%s,%s)", name, integrity); + r = snprintf(tmp_salg_name, sizeof(tmp_salg_name), "rfc7539(%s,%s)", name, integrity); else if (!real_mode) - snprintf((char *)sa.salg_name, sizeof(sa.salg_name), "%s", name); + r = snprintf(tmp_salg_name, sizeof(tmp_salg_name), "%s", name); else if (aead && !strcmp(real_mode, "ccm")) - snprintf((char *)sa.salg_name, sizeof(sa.salg_name), "rfc4309(%s(%s))", real_mode, name); + r = snprintf(tmp_salg_name, sizeof(tmp_salg_name), "rfc4309(%s(%s))", real_mode, name); else - snprintf((char *)sa.salg_name, sizeof(sa.salg_name), "%s(%s)", real_mode, name); + r = snprintf(tmp_salg_name, sizeof(tmp_salg_name), "%s(%s)", real_mode, name); + + if (r <= 0 || r > (sizeof(sa.salg_name) - 1)) + return -EINVAL; + + memcpy(sa.salg_name, tmp_salg_name, sizeof(sa.salg_name)); key = malloc(key_length); if (!key)