From a7ca71cf6b2fb46b049442569188ce046cfd6c34 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Sat, 11 Nov 2017 14:42:39 -0500 Subject: [PATCH] Fix mock_crypto_pk_public_checksig__nocheck() to handle short RSA keys This function -- a mock replacement used only for fuzzing -- would have a buffer overflow if it got an RSA key whose modulus was under 20 bytes long. Fortunately, Tor itself does not appear to have a bug here. Fixes bug 24247; bugfix on 0.3.0.3-alpha when fuzzing was introduced. Found by OSS-Fuzz; this is OSS-Fuzz issue 4177. --- changes/bug24247 | 6 ++++++ src/test/fuzz/fuzzing_common.c | 5 +++-- 2 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 changes/bug24247 diff --git a/changes/bug24247 b/changes/bug24247 new file mode 100644 index 000000000..1f4ddcdde --- /dev/null +++ b/changes/bug24247 @@ -0,0 +1,6 @@ + o Minor bugfixes (fuzzing): + - Fix a bug in our fuzzing mock replacement for crypto_pk_checksig(), to + correctly handle cases where a caller gives it an RSA key of under 160 + bits. (This is not actually a bug in Tor itself, but wrather in our + fuzzing code.) Fixes bug 24247; bugfix on 0.3.0.3-alpha. + Found by OSS-Fuzz as issue 4177. diff --git a/src/test/fuzz/fuzzing_common.c b/src/test/fuzz/fuzzing_common.c index 7ebddde1a..1e98eb6c8 100644 --- a/src/test/fuzz/fuzzing_common.c +++ b/src/test/fuzz/fuzzing_common.c @@ -28,8 +28,9 @@ mock_crypto_pk_public_checksig__nocheck(const crypto_pk_t *env, char *to, (void)fromlen; /* We could look at from[0..fromlen-1] ... */ tor_assert(tolen >= crypto_pk_keysize(env)); - memset(to, 0x01, 20); - return 20; + size_t siglen = MIN(20, crypto_pk_keysize(env)); + memset(to, 0x01, siglen); + return (int)siglen; } static int