upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-06-08 16:23:24 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

BUG/MINOR: jwe: don't write randoms past MAX_DECRYPTED_CEK_LEN in RSA_PKCS1_PADDING

Browse source 
The recent fix in commit 1a5a33396d ("BUG/MEDIUM: jwe: substitute random
CEK on RSA1_5 decryption failure per RFC 7516 #11.5") writes 8 bytes at
once but stops at the last one, so it can overflow the sample by 7 bytes.
This is totally harmless since the max size is 64 bytes, but better stop
at the boundary. A final loop completes one byte at a time by construction
so that we can adapt to any value of MAX_DECRYPTED_CEK_LEN, but the compiler
will not emit it since we stop at 64.

No backport is needed, it's only for 3.4.
This commit is contained in:
Willy Tarreau 2026-06-03 13:23:32 +02:00
parent 8b71e1f155
commit bf4878226e
1 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
src/jwe.c
View file

@ -840,11 +840,16 @@ static int do_decrypt_cek_rsa(struct buffer *cek, struct buffer *decrypted_cek,
int i;
unsigned char *p = (unsigned char *)b_orig(decrypted_cek);
for (i = 0; i < MAX_DECRYPTED_CEK_LEN; i++) {
/* fill 8 bytes at a time */
for (i = 0; i <= MAX_DECRYPTED_CEK_LEN - 8; i++) {
uint64_t r = ha_random64();
memcpy(p, &r, 8);
p+=8;
p += 8;
}
/* complete if not multiple of 8 (normally not the case) */
for (; i < MAX_DECRYPTED_CEK_LEN; i++)
*(p++) = ha_random64();
outl = MAX_DECRYPTED_CEK_LEN;
} else
goto end;