39 lines
1.2 KiB
Diff
39 lines
1.2 KiB
Diff
|
From 6d6cd5daf63b812734343bd020677829b13db2ac Mon Sep 17 00:00:00 2001
|
||
|
|
From: Fionn Fitzmaurice <1897918+fionn@users.noreply.github.com>
|
||
|
|
Date: Fri, 3 Jul 2020 07:39:54 +0800
|
||
|
|
Subject: [PATCH] Avoid buffer overflow in RC4 loop comparison (#336)
|
||
|
|
|
||
|
|
The rc4 function iterates over a buffer of size buffer_len who's maximum
|
||
|
|
value is INT_MAX with a counter of type short that is not guaranteed to
|
||
|
|
have maximum size INT_MAX.
|
||
|
|
|
||
|
|
In circumstances where short is narrower than int and where buffer_len
|
||
|
|
is larger than the maximum value of a short, it may be possible to loop
|
||
|
|
infinitely as counter will overflow and never be greater than or equal
|
||
|
|
to buffer_len.
|
||
|
|
|
||
|
|
The solution is to make the comparison be between types of equal width.
|
||
|
|
This commit defines counter as an int.
|
||
|
|
|
||
|
|
Fix By: Fionn Fitzmaurice (@fionn)
|
||
|
|
---
|
||
|
|
ares_query.c | 2 +-
|
||
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/ares_query.c b/ares_query.c
|
||
|
|
index b38b8a6..5bbb2f5 100644
|
||
|
|
--- a/ares_query.c
|
||
|
|
+++ b/ares_query.c
|
||
|
|
@@ -45,7 +45,7 @@ static void rc4(rc4_key* key, unsigned char *buffer_ptr, int buffer_len)
|
||
|
|
unsigned char y;
|
||
|
|
unsigned char* state;
|
||
|
|
unsigned char xorIndex;
|
||
|
|
- short counter;
|
||
|
|
+ int counter;
|
||
|
|
|
||
|
|
x = key->x;
|
||
|
|
y = key->y;
|
||
|
|
--
|
||
|
|
1.8.3.1
|
||
|
|
|