Change in libosmocore[master]: WIP: gsm: kasumi: Fix dynamic-stack-buffer-overflow on out buffers no...

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Pau Espin Pedrol gerrit-no-reply at lists.osmocom.org
Wed May 16 18:17:28 UTC 2018 

Pau Espin Pedrol has uploaded this change for review. ( https://gerrit.osmocom.org/9207


Change subject: WIP: gsm: kasumi: Fix dynamic-stack-buffer-overflow on out buffers not multiple of 64 bits
......................................................................

WIP: gsm: kasumi: Fix dynamic-stack-buffer-overflow on out buffers not multiple of 64 bits

Fixes following AddressSanitizer report during gea_test run with gcc
8.1.0:

==8899==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffc5f1719bb at pc 0x7fe574adc5fe bp 0x7ffc5f171460 sp 0x7ffc5f171450
WRITE of size 1 at 0x7ffc5f1719bb thread T0
    #0 0x7fe574adc5fd in osmo_store64be_ext ../../include/osmocom/core/bit64gen.h:75
    #1 0x7fe574adc649 in osmo_store64be ../../include/osmocom/core/bit64gen.h:104
    #2 0x7fe574ade936 in _kasumi_kgcore libosmocore/src/gsm/kasumi.c:186
    #3 0x7fe574ae2532 in gea4 libosmocore/src/gsm/gea.c:44
    #4 0x7fe574ae266c in gea3 libosmocore/src/gsm/gea.c:60
    #5 0x7fe574a9b616 in gprs_cipher_run libosmocore/src/gsm/gprs_cipher_core.c:95
    #6 0x56422d3fb2ee in test_gea libosmocore/tests/gea/gea_test.c:29
    #7 0x56422d3fb506 in main libosmocore/tests/gea/gea_test.c:49
    #8 0x7fe5730f406a in __libc_start_main (/usr/lib/libc.so.6+0x2306a)
    #9 0x56422d3fadf9 in _start (libosmocore/tests/gea/.libs/lt-gea_test+0x1df9)

Change-Id: I7b2a0224a3b5527d5a3ad7e17efc73081b63eac1
---
M src/gsm/kasumi.c
1 file changed, 6 insertions(+), 1 deletion(-)



  git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/07/9207/1

diff --git a/src/gsm/kasumi.c b/src/gsm/kasumi.c
index 7de5cd0..15f564e 100644
--- a/src/gsm/kasumi.c
+++ b/src/gsm/kasumi.c
@@ -159,6 +159,7 @@
 	}
 }
 
+/* co must be multiple of 8 */
 void _kasumi_kgcore(uint8_t CA, uint8_t cb, uint32_t cc, uint8_t cd, const uint8_t *ck, uint8_t *co, uint16_t cl)
 {
 	uint16_t KLi1[8], KLi2[8], KOi1[8], KOi2[8], KOi3[8], KIi1[8], KIi2[8], KIi3[8], i;
@@ -181,8 +182,12 @@
 	_kasumi_key_expand(ck, KLi1, KLi2, KOi1, KOi2, KOi3, KIi1, KIi2, KIi3);
 
 	/* i is a block counter */
-	for (i = 0; i < cl / 64 + 1; i++) {
+	for (i = 0; i < cl / 64; i++) {
 		BLK = _kasumi(A ^ i ^ BLK, KLi1, KLi2, KOi1, KOi2, KOi3, KIi1, KIi2, KIi3);
 		osmo_store64be(BLK, co + (i * 8));
 	}
+	/* Last round */
+	uint8_t reminder = cl/8%4;
+	BLK = _kasumi(A ^ cl / 64 ^ BLK, KLi1, KLi2, KOi1, KOi2, KOi3, KIi1, KIi2, KIi3);
+	osmo_store64be_ext(BLK, co + (cl / 64 * 8), reminder ? : 4);
 }

-- 
To view, visit https://gerrit.osmocom.org/9207
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I7b2a0224a3b5527d5a3ad7e17efc73081b63eac1
Gerrit-Change-Number: 9207
Gerrit-PatchSet: 1
Gerrit-Owner: Pau Espin Pedrol <pespin at sysmocom.de>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20180516/340abbda/attachment.htm>

More information about the gerrit-log mailing list