diff options
| author | Ben Noordhuis <info@bnoordhuis.nl> | 2012-10-22 00:03:47 +0200 |
|---|---|---|
| committer | Ben Noordhuis <info@bnoordhuis.nl> | 2012-10-22 00:20:32 +0200 |
| commit | de18e29784b5f10f695d0859b43c81f41d743e85 (patch) | |
| tree | d2fa96c124a6de9f0bc8016e55198dd32358473f | |
| parent | 82df345fbba15ba42eeb9955f3bc76609c86e677 (diff) | |
| download | node-de18e29784b5f10f695d0859b43c81f41d743e85.tar.gz | |
crypto: fix DH 1 byte buffer underflow
Passing a bad key to DiffieHellman::ComputeSecret() made it zero the byte
before the heap allocated buffer due to an erroneous size calculation.
| -rw-r--r-- | src/node_crypto.cc | 38 |
1 files changed, 20 insertions, 18 deletions
diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 04954328d..69ccfd262 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -3960,17 +3960,6 @@ class DiffieHellman : public ObjectWrap { key, diffieHellman->dh); BN_free(key); - Local<Value> outString; - - // DH_size returns number of bytes in a prime number - // DH_compute_key returns number of bytes in a remainder of exponent, which - // may have less bytes than a prime number. Therefore add 0-padding to the - // allocated buffer. - if (size != dataSize) { - assert(dataSize > size); - memset(data + size, 0, dataSize - size); - } - if (size == -1) { int checkResult; if (!DH_check_pub_key(diffieHellman->dh, key, &checkResult)) { @@ -3988,14 +3977,27 @@ class DiffieHellman : public ObjectWrap { } else { return ThrowException(Exception::Error(String::New("Invalid key"))); } + } + + assert(size >= 0); + + // DH_size returns number of bytes in a prime number + // DH_compute_key returns number of bytes in a remainder of exponent, which + // may have less bytes than a prime number. Therefore add 0-padding to the + // allocated buffer. + if (size != dataSize) { + assert(dataSize > size); + memset(data + size, 0, dataSize - size); + } + + Local<Value> outString; + + if (args.Length() > 2 && args[2]->IsString()) { + outString = EncodeWithEncoding(args[2], data, dataSize); + } else if (args.Length() > 1 && args[1]->IsString()) { + outString = EncodeWithEncoding(args[1], data, dataSize); } else { - if (args.Length() > 2 && args[2]->IsString()) { - outString = EncodeWithEncoding(args[2], data, dataSize); - } else if (args.Length() > 1 && args[1]->IsString()) { - outString = EncodeWithEncoding(args[1], data, dataSize); - } else { - outString = Encode(data, dataSize, BINARY); - } + outString = Encode(data, dataSize, BINARY); } delete[] data; |