libmacaroons icon indicating copy to clipboard operation
libmacaroons copied to clipboard

Published 20 hours ago verified publisher icon rescrv

Potential undersized buffer

Open dodsonmg opened this issue 4 years ago • 0 comments

In macaroon_add_third_party_caveat_raw(...), I'm wondering if the buffer for enc_cyphertext should be the same size as that for enc_plaintext?

https://github.com/rescrv/libmacaroons/blob/fb878b975bbf42d77be883a5327644594578d59e/macaroons.c#L342-L352

The call to macaroon_secretbox(...) appears to be attempting to store data beyond the end of enc_cyphertext when SECRET_BOX_OVERHEAD is not included when initialising the buffer size.

https://github.com/rescrv/libmacaroons/blob/fb878b975bbf42d77be883a5327644594578d59e/macaroons.c#L384-L390

In macaroon_verify_inner_3rd(...), enc_cyphertext buffer size matches enc_plaintext:

https://github.com/rescrv/libmacaroons/blob/fb878b975bbf42d77be883a5327644594578d59e/macaroons.c#L717-L730

Note: SECRET_BOX_OVERHEAD is defined as the difference between MACAROON_SECRET_TEXT_ZERO_BYTES and MACAROON_SECRET_BOX_ZERO_BYTES.

https://github.com/rescrv/libmacaroons/blob/fb878b975bbf42d77be883a5327644594578d59e/macaroons.c#L329-L331

dodsonmg avatar Jul 02 '20 16:07 dodsonmg