mirror of
https://github.com/isc-projects/bind9.git
synced 2026-05-23 10:37:43 -04:00
a531f00a75
A lingering `sizeof` from the prototype era of !11094 caused the key-wipe in `isc_hmac_key_destroy` to use `sizeof(key->len)` instead of `key->len` for the length argument of `isc_safe_memwipe`. This results in a buffer overflow of zero bytes in HMAC keys that are less than 4 bytes. As such, the overflow can only be visibile in keys that are less than 32-bits, which is beyond broken and creating such keys are only possible in testing. Therefore, this change is *not* a security fix since the conditions are never reachable in any imaginable deployment scenario. Builds that use OpenSSL >=3.0 are unaffected as the `sizeof` was only remaining in pre-3.0 builds. |
||
|---|---|---|
| .. | ||
| meson.build | ||
| ossl1_1.c | ||
| ossl3.c | ||
| ossl_common.c | ||