[rsaenh]: Correction for hash update during failed decryption
Kees Cook
kees at outflux.net
Mon May 16 00:31:14 CDT 2005
If CryptDecrypt is called with a bad key, *pdwDataLen can produce a
value outside the buffer. But because it still tries to update the
hash, the hash tries to read outside the buffer. This protects against
that.
ChangeLog:
avoid segfault in hash update with corrupted decrypt data
--
Kees Cook @outflux.net
-------------- next part --------------
Index: dlls/rsaenh/rsaenh.c
===================================================================
RCS file: /home/wine/wine/dlls/rsaenh/rsaenh.c,v
retrieving revision 1.26
diff -u -p -r1.26 rsaenh.c
--- dlls/rsaenh/rsaenh.c 18 Apr 2005 15:36:21 -0000 1.26
+++ dlls/rsaenh/rsaenh.c 16 May 2005 05:25:24 -0000
@@ -1929,6 +1929,7 @@ BOOL WINAPI RSAENH_CPDecrypt(HCRYPTPROV
CRYPTKEY *pCryptKey;
BYTE *in, out[RSAENH_MAX_BLOCK_SIZE], o[RSAENH_MAX_BLOCK_SIZE];
DWORD i, j, k;
+ DWORD dwMax;
TRACE("(hProv=%08lx, hKey=%08lx, hHash=%08lx, Final=%d, dwFlags=%08lx, pbData=%p, "
"pdwDataLen=%p)\n", hProv, hKey, hHash, Final, dwFlags, pbData, pdwDataLen);
@@ -1959,6 +1960,8 @@ BOOL WINAPI RSAENH_CPDecrypt(HCRYPTPROV
SetLastError(NTE_BAD_DATA);
return FALSE;
}
+
+ dwMax=*pdwDataLen;
if (GET_ALG_TYPE(pCryptKey->aiAlgid) == ALG_TYPE_BLOCK) {
for (i=0, in=pbData; i<*pdwDataLen; i+=pCryptKey->dwBlockLen, in+=pCryptKey->dwBlockLen) {
@@ -2012,7 +2015,8 @@ BOOL WINAPI RSAENH_CPDecrypt(HCRYPTPROV
if (Final) setup_key(pCryptKey);
if (is_valid_handle(&handle_table, hHash, RSAENH_MAGIC_HASH)) {
- if (!RSAENH_CPHashData(hProv, hHash, pbData, *pdwDataLen, 0)) return FALSE;
+ if (*pdwDataLen>dwMax ||
+ !RSAENH_CPHashData(hProv, hHash, pbData, *pdwDataLen, 0)) return FALSE;
}
return TRUE;
More information about the wine-patches
mailing list