commit a7ca71cf6b2fb46b049442569188ce046cfd6c34
parent 512dfa15edf9723cb5bfa2b86d5658e320496445
Author: Nick Mathewson <nickm@torproject.org>
Date: Sat, 11 Nov 2017 14:42:39 -0500
Fix mock_crypto_pk_public_checksig__nocheck() to handle short RSA keys
This function -- a mock replacement used only for fuzzing -- would
have a buffer overflow if it got an RSA key whose modulus was under
20 bytes long.
Fortunately, Tor itself does not appear to have a bug here.
Fixes bug 24247; bugfix on 0.3.0.3-alpha when fuzzing was
introduced. Found by OSS-Fuzz; this is OSS-Fuzz issue 4177.
Diffstat:
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/changes/bug24247 b/changes/bug24247
@@ -0,0 +1,6 @@
+ o Minor bugfixes (fuzzing):
+ - Fix a bug in our fuzzing mock replacement for crypto_pk_checksig(), to
+ correctly handle cases where a caller gives it an RSA key of under 160
+ bits. (This is not actually a bug in Tor itself, but wrather in our
+ fuzzing code.) Fixes bug 24247; bugfix on 0.3.0.3-alpha.
+ Found by OSS-Fuzz as issue 4177.
diff --git a/src/test/fuzz/fuzzing_common.c b/src/test/fuzz/fuzzing_common.c
@@ -28,8 +28,9 @@ mock_crypto_pk_public_checksig__nocheck(const crypto_pk_t *env, char *to,
(void)fromlen;
/* We could look at from[0..fromlen-1] ... */
tor_assert(tolen >= crypto_pk_keysize(env));
- memset(to, 0x01, 20);
- return 20;
+ size_t siglen = MIN(20, crypto_pk_keysize(env));
+ memset(to, 0x01, siglen);
+ return (int)siglen;
}
static int
