Fix omac1_aes_128_vector() not to read beyond addr/len array

Previously, it was possible for the loop through the data components to increment addr/len index at the last position beyond the declared size. This resulted in reading beyond those arrays. The read values were not used and as such, this was unlikely to cause noticeable issues, but anyway, memory checkers can detect this and the correct behavior is to stop increments before going beyond the arrays since no more bytes will be processed after this anyway. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-30 15:39:34 +02:00 · 2014-11-30 15:39:34 +02:00 · 0a11409c00
parent 763041b2e8
commit 0a11409c00
1 changed files with 13 additions and 0 deletions
--- a/src/crypto/aes-omac1.c
+++ b/src/crypto/aes-omac1.c
@ -65,6 +65,13 @@ int omac1_aes_128_vector(const u8 *key, size_t num_elem,
 		for (i = 0; i < AES_BLOCK_SIZE; i++) {
 			cbc[i] ^= *pos++;
 			if (pos >= end) {
+				/*
+				 * Stop if there are no more bytes to process
+				 * since there are no more entries in the array.
+				 */
+				if (i + 1 == AES_BLOCK_SIZE &&
+				    left == AES_BLOCK_SIZE)
+					break;
 				e++;
 				pos = addr[e];
 				end = pos + len[e];
@ -83,6 +90,12 @@ int omac1_aes_128_vector(const u8 *key, size_t num_elem,
 		for (i = 0; i < left; i++) {
 			cbc[i] ^= *pos++;
 			if (pos >= end) {
+				/*
+				 * Stop if there are no more bytes to process
+				 * since there are no more entries in the array.
+				 */
+				if (i + 1 == left)
+					break;
 				e++;
 				pos = addr[e];
 				end = pos + len[e];