HIPL

Out-of-bounds array access in DH key generation

Bug #667764 reported by Stefan Götz on 2010-10-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	HIPL	Fix Released	Undecided	Unassigned

Bug Description

Compiling with -O3 fails revealing an out-of-bounds access to an array in hipd/dh.c:hip_regen_dh_keys()

lib/core/crypto.h:
#define HIP_MAX_DH_GROUP_ID 7

hipd/dh.c:
DH *dh_table[HIP_MAX_DH_GROUP_ID] = {0};
[...]
    for (i = 1; i <= HIP_MAX_DH_GROUP_ID; i++) {
[...]
            okey = dh_table[i];
            dh_table[i] = tmp;
[...]
    }

It seems that the array dh_table with 7 entries is accessed at index 7, i.e., beyond it's actual size.

Related branches

lp:~stefan.goetz-deactivatedaccount/hipl/dh-key-generation-fixes

Merged into lp:hipl at revision 5133

Miika Komu: Approve on 2010-11-01

Revision history for this message

Miika Komu (miika-iki) wrote on 2010-10-28:

Change the <= to < and commit to trunk? Good catch.

Revision history for this message

Stefan Götz (stefan.goetz-deactivatedaccount) wrote on 2010-10-28:

I think that the iteration should also start at 0 instead of 1, but I hadn't had a closer look. In case similar patterns were copied and pasted, looking at every access to the dh_table array certainly wouldn't hurt before rushing quick fixes.

Revision history for this message

Miika Komu (miika-iki) wrote on 2010-10-28:

Sorry, my bad.

René Hummen (rene-hummen) on 2010-11-02

Changed in hipl:
status:	New → Fix Committed

Stefan Götz (stefan.goetz-deactivatedaccount) on 2010-11-12

Changed in hipl:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.