From 3fa0b84824873cfcad51b4ec6ea604f21620802b Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Mon, 18 Nov 2013 21:06:08 +0100 Subject: generic-gmac: don't access invalid pointer for the reorder check with null cipher --- src/methods/generic_gmac/generic_gmac.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/src/methods/generic_gmac/generic_gmac.c b/src/methods/generic_gmac/generic_gmac.c index 2a44858..4b4109e 100644 --- a/src/methods/generic_gmac/generic_gmac.c +++ b/src/methods/generic_gmac/generic_gmac.c @@ -262,22 +262,24 @@ static bool method_decrypt(fastd_context_t *ctx, fastd_peer_t *peer, fastd_metho if (!method_session_is_valid(ctx, session)) return false; - if (((const uint8_t*)in.data)[COMMON_NONCEBYTES]) /* flags */ + const uint8_t *common_nonce = in.data; + + if (common_nonce[COMMON_NONCEBYTES]) /* flags */ return false; int64_t age; - if (!fastd_method_is_nonce_valid(ctx, &session->common, in.data, &age)) + if (!fastd_method_is_nonce_valid(ctx, &session->common, common_nonce, &age)) return false; uint8_t gmac_nonce[session->gmac_ivlen]; memset(gmac_nonce, 0, session->gmac_ivlen); - memcpy(gmac_nonce, in.data, COMMON_NONCEBYTES); + memcpy(gmac_nonce, common_nonce, COMMON_NONCEBYTES); gmac_nonce[session->gmac_ivlen-1] = 1; uint8_t nonce[session->ivlen]; if (session->ivlen) { memset(nonce, 0, session->ivlen); - memcpy(nonce, in.data, COMMON_NONCEBYTES); + memcpy(nonce, common_nonce, COMMON_NONCEBYTES); nonce[session->ivlen-1] = 1; } @@ -311,15 +313,15 @@ static bool method_decrypt(fastd_context_t *ctx, fastd_peer_t *peer, fastd_metho return false; } - fastd_buffer_free(in); - fastd_buffer_push_head(ctx, out, sizeof(fastd_block128_t)); - if (!fastd_method_reorder_check(ctx, peer, &session->common, nonce, age)) { + if (!fastd_method_reorder_check(ctx, peer, &session->common, common_nonce, age)) { fastd_buffer_free(*out); *out = fastd_buffer_alloc(ctx, 0, 0, 0); } + fastd_buffer_free(in); + return true; } -- cgit v1.2.3