Fix omac1_aes_128_vector() not to read beyond addr/len array

Previously, it was possible for the loop through the data components to
increment addr/len index at the last position beyond the declared size.
This resulted in reading beyond those arrays. The read values were not
used and as such, this was unlikely to cause noticeable issues, but
anyway, memory checkers can detect this and the correct behavior is to
stop increments before going beyond the arrays since no more bytes will
be processed after this anyway.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-11-30 15:39:34 +02:00
parent 763041b2e8
commit 0a11409c00

View File

@ -65,6 +65,13 @@ int omac1_aes_128_vector(const u8 *key, size_t num_elem,
for (i = 0; i < AES_BLOCK_SIZE; i++) { for (i = 0; i < AES_BLOCK_SIZE; i++) {
cbc[i] ^= *pos++; cbc[i] ^= *pos++;
if (pos >= end) { if (pos >= end) {
/*
* Stop if there are no more bytes to process
* since there are no more entries in the array.
*/
if (i + 1 == AES_BLOCK_SIZE &&
left == AES_BLOCK_SIZE)
break;
e++; e++;
pos = addr[e]; pos = addr[e];
end = pos + len[e]; end = pos + len[e];
@ -83,6 +90,12 @@ int omac1_aes_128_vector(const u8 *key, size_t num_elem,
for (i = 0; i < left; i++) { for (i = 0; i < left; i++) {
cbc[i] ^= *pos++; cbc[i] ^= *pos++;
if (pos >= end) { if (pos >= end) {
/*
* Stop if there are no more bytes to process
* since there are no more entries in the array.
*/
if (i + 1 == left)
break;
e++; e++;
pos = addr[e]; pos = addr[e];
end = pos + len[e]; end = pos + len[e];