[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

one-byte stack-based buffer overflow in bcrypt_hash.

[Thread Prev] | [Thread Next]

[Date Prev] | [Date Next]

Subject: one-byte stack-based buffer overflow in bcrypt_hash.
From: "George Garner (online)" <ggarner_online@xxxxxxxxxxxxxxxxx>
Reply-to: libssh@xxxxxxxxxx
Date: Tue, 25 Apr 2017 08:23:02 -0400
To: libssh@xxxxxxxxxx

When I compile libssh with the VS2015 compiler, the following lines

        blf_ctx state;
        uint8_t ciphertext[BCRYPT_HASHSIZE] =
            "OxychromaticBlowfishSwatDynamite";

where strlen("OxychromaticBlowfishSwatDynamite") == BCRYPT_HASHSIZE.

The reason is because the variable ciphertext is being initialized with a
"C" string which is null terminated.  Thus,
sizeof("OxychromaticBlowfishSwatDynamite") == (BCRYPT_HASHSIZE + 1).  When
ciphertext is initialized the compiler writes the null terminating byte to
the most significant byte of the variable "state."  In practice the error
is harmless.  But maybe somebody will change things around some day
resulting in a heisenbug.  One way to patch the bug would be like this:

        blf_ctx state;
-        uint8_t ciphertext[BCRYPT_HASHSIZE] =
+        uint8_t ciphertext[BCRYPT_HASHSIZE + 1]  =
            "OxychromaticBlowfishSwatDynamite";

    for (i = 0; i < BCRYPT_WORDS; i++)
-        cdata[i] = Blowfish_stream2word(ciphertext, sizeof(ciphertext,
+        cdata[i] = Blowfish_stream2word(ciphertext, BCRYPT_HASHSIZE,
            &j);
.

Archive administrator: postmaster@lists.cynapses.org