<p>Pau Espin Pedrol has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.osmocom.org/9207">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">WIP: gsm: kasumi: Fix dynamic-stack-buffer-overflow on out buffers not multiple of 64 bits<br><br>Fixes following AddressSanitizer report during gea_test run with gcc<br>8.1.0:<br><br>==8899==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffc5f1719bb at pc 0x7fe574adc5fe bp 0x7ffc5f171460 sp 0x7ffc5f171450<br>WRITE of size 1 at 0x7ffc5f1719bb thread T0<br> #0 0x7fe574adc5fd in osmo_store64be_ext ../../include/osmocom/core/bit64gen.h:75<br> #1 0x7fe574adc649 in osmo_store64be ../../include/osmocom/core/bit64gen.h:104<br> #2 0x7fe574ade936 in _kasumi_kgcore libosmocore/src/gsm/kasumi.c:186<br> #3 0x7fe574ae2532 in gea4 libosmocore/src/gsm/gea.c:44<br> #4 0x7fe574ae266c in gea3 libosmocore/src/gsm/gea.c:60<br> #5 0x7fe574a9b616 in gprs_cipher_run libosmocore/src/gsm/gprs_cipher_core.c:95<br> #6 0x56422d3fb2ee in test_gea libosmocore/tests/gea/gea_test.c:29<br> #7 0x56422d3fb506 in main libosmocore/tests/gea/gea_test.c:49<br> #8 0x7fe5730f406a in __libc_start_main (/usr/lib/libc.so.6+0x2306a)<br> #9 0x56422d3fadf9 in _start (libosmocore/tests/gea/.libs/lt-gea_test+0x1df9)<br><br>Change-Id: I7b2a0224a3b5527d5a3ad7e17efc73081b63eac1<br>---<br>M src/gsm/kasumi.c<br>1 file changed, 6 insertions(+), 1 deletion(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/07/9207/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/gsm/kasumi.c b/src/gsm/kasumi.c</span><br><span>index 7de5cd0..15f564e 100644</span><br><span>--- a/src/gsm/kasumi.c</span><br><span>+++ b/src/gsm/kasumi.c</span><br><span>@@ -159,6 +159,7 @@</span><br><span> }</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+/* co must be multiple of 8 */</span><br><span> void _kasumi_kgcore(uint8_t CA, uint8_t cb, uint32_t cc, uint8_t cd, const uint8_t *ck, uint8_t *co, uint16_t cl)</span><br><span> {</span><br><span> uint16_t KLi1[8], KLi2[8], KOi1[8], KOi2[8], KOi3[8], KIi1[8], KIi2[8], KIi3[8], i;</span><br><span>@@ -181,8 +182,12 @@</span><br><span> _kasumi_key_expand(ck, KLi1, KLi2, KOi1, KOi2, KOi3, KIi1, KIi2, KIi3);</span><br><span> </span><br><span> /* i is a block counter */</span><br><span style="color: hsl(0, 100%, 40%);">- for (i = 0; i < cl / 64 + 1; i++) {</span><br><span style="color: hsl(120, 100%, 40%);">+ for (i = 0; i < cl / 64; i++) {</span><br><span> BLK = _kasumi(A ^ i ^ BLK, KLi1, KLi2, KOi1, KOi2, KOi3, KIi1, KIi2, KIi3);</span><br><span> osmo_store64be(BLK, co + (i * 8));</span><br><span> }</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Last round */</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t reminder = cl/8%4;</span><br><span style="color: hsl(120, 100%, 40%);">+ BLK = _kasumi(A ^ cl / 64 ^ BLK, KLi1, KLi2, KOi1, KOi2, KOi3, KIi1, KIi2, KIi3);</span><br><span style="color: hsl(120, 100%, 40%);">+ osmo_store64be_ext(BLK, co + (cl / 64 * 8), reminder ? : 4);</span><br><span> }</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/9207">change 9207</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/9207"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: libosmocore </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I7b2a0224a3b5527d5a3ad7e17efc73081b63eac1 </div>
<div style="display:none"> Gerrit-Change-Number: 9207 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Pau Espin Pedrol <pespin@sysmocom.de> </div>