[zeromq-dev] curvezmq code review : possible memory violation in s_produce_hello - s_encrypt - memcpy
Laurent Alebarde
l.alebarde at free.fr
Thu Aug 15 12:30:18 CEST 2013
Hi all,
I am reviewing the curvezmq code with a debugger :
Fact :
in curvezmq_codec.c (s_encrypt from s_produce_hello, line 288) :
memcpy (target, box + crypto_box_BOXZEROBYTES, size +
crypto_box_BOXZEROBYTES);
copies from (box + crypto_box_BOXZEROBYTES) (size +
crypto_box_BOXZEROBYTES) bytes
Debugger aborts (while the executable itself in a shell works well).
Consequences :
1) an amount of (crypto_box_BOXZEROBYTES) undefined bytes after the
box are copied to target, while the box is malloc-ed with a size of
(crypto_box_ZEROBYTES + size)
2) the spec "target must be nonce + box" is not fullfilled since
the first crypto_box_BOXZEROBYTES bytes of the box are not copied to
target (may be ok since they are zeros)
Possible solutions :
1) change to : memcpy (target, box + crypto_box_BOXZEROBYTES, size);
and set appropriatly the remaining (crypto_box_BOXZEROBYTES)
bytes of target
2) change to : memcpy (target, box, size + crypto_box_BOXZEROBYTES);
and adapt the size of target : hello_t.box becomes : bytes box[96]
3) change to : memcpy (target, box + crypto_box_BOXZEROBYTES, size);
and adapt the size of target : hello_t.box becomes : bytes box[64]
In addition : box should be malloc-ed with a size of
(crypto_box_BOXZEROBYTES + size) instead of (crypto_box_ZEROBYTES + size)
Cheers,
Laurent.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20130815/616e4b05/attachment.htm>
More information about the zeromq-dev
mailing list