Fix len miscalculation in buffer-based allocator

This commit is contained in:
Manuel Pégourié-Gonnard 2014-11-27 13:57:42 +01:00 committed by Paul Bakker
parent 547ff6618f
commit 5dd28ea432
2 changed files with 13 additions and 3 deletions

View file

@ -18,6 +18,9 @@ Security
Bugfix
* Stack buffer overflow if ctr_drbg_update() is called with too large
add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
* Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE
if memory_buffer_alloc_init() was called with buf not aligned and len not
a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE.
= PolarSSL 1.3.9 released 2014-10-20
Security

View file

@ -563,9 +563,11 @@ int memory_buffer_alloc_init( unsigned char *buf, size_t len )
if( (size_t) buf % POLARSSL_MEMORY_ALIGN_MULTIPLE )
{
/* Adjust len first since buf is used in the computation */
len -= POLARSSL_MEMORY_ALIGN_MULTIPLE
- (size_t) buf % POLARSSL_MEMORY_ALIGN_MULTIPLE;
buf += POLARSSL_MEMORY_ALIGN_MULTIPLE
- (size_t) buf % POLARSSL_MEMORY_ALIGN_MULTIPLE;
len -= (size_t) buf % POLARSSL_MEMORY_ALIGN_MULTIPLE;
}
heap.buf = buf;
@ -623,9 +625,9 @@ static int check_all_free( )
int memory_buffer_alloc_self_test( int verbose )
{
int ret = 0;
unsigned char buf[1024];
unsigned char *p, *q, *r;
unsigned char *p, *q, *r, *end;
int ret = 0;
if( verbose != 0 )
polarssl_printf( " MBA test #1 (basic alloc-free cycle): " );
@ -646,6 +648,9 @@ int memory_buffer_alloc_self_test( int verbose )
TEST_ASSERT( check_all_free( ) == 0 );
/* Memorize end to compare with the next test */
end = heap.buf + heap.len;
memory_buffer_alloc_free( );
if( verbose != 0 )
@ -656,6 +661,8 @@ int memory_buffer_alloc_self_test( int verbose )
memory_buffer_alloc_init( buf + 1, sizeof( buf ) - 1 );
TEST_ASSERT( heap.buf + heap.len == end );
p = polarssl_malloc( 1 );
q = polarssl_malloc( 128 );
r = polarssl_malloc( 16 );