-
Notifications
You must be signed in to change notification settings - Fork 213
removeLen32Prefixed: check for possible data overflow #629
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -77,6 +77,9 @@ func removeLen32Prefixed(data []byte) (next []byte, remainder []byte, err error) | |||||||||||||||||||
| return nil, nil, fmt.Errorf("data too short") | ||||||||||||||||||||
| } | ||||||||||||||||||||
| itemLen := int(binary.LittleEndian.Uint32(data)) | ||||||||||||||||||||
| if itemLen < 0 { | ||||||||||||||||||||
| return nil, nil, fmt.Errorf("negative data length: possible overflow") | ||||||||||||||||||||
| } | ||||||||||||||||||||
| if (4 + itemLen) > len(data) { | ||||||||||||||||||||
| return nil, nil, fmt.Errorf("data too short") | ||||||||||||||||||||
| } | ||||||||||||||||||||
|
Comment on lines
+80
to
85
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔴 Overflow check is incomplete — addition of offset and length can still wrap on 32-bit targets The new negative-length check ( Impact: On 32-bit targets (including WASM, which CI tests), a crafted ciphertext with a length field near 2³¹ can crash the decryption routine. Detailed overflow mechanism on 32-bit intOn 32-bit platforms ( This function is called from A robust fix would avoid int arithmetic overflow entirely, e.g.: itemLen := int(binary.LittleEndian.Uint32(data))
if itemLen < 0 || itemLen > len(data)-4 {
return nil, nil, fmt.Errorf("data too short")
}Since
Suggested change
Was this helpful? React with 👍 or 👎 to provide feedback.
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @mdosch this looks useful?
Comment on lines
+80
to
85
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟨 Incomplete overflow guard still allows denial-of-service via crafted ciphertext on 32-bit targets The new Was this helpful? React with 👍 or 👎 to provide feedback. |
||||||||||||||||||||
|
|
||||||||||||||||||||
Uh oh!
There was an error while loading. Please reload this page.