Fixed buffer overrun (read only, usually harmless, but sloppy nonetheless).

author Thomas Pornin <pornin@bolet.org>

Tue, 29 Nov 2016 15:03:49 +0000 (16:03 +0100)

committer Thomas Pornin <pornin@bolet.org>

Tue, 29 Nov 2016 15:03:49 +0000 (16:03 +0100)
author Thomas Pornin <pornin@bolet.org>
Tue, 29 Nov 2016 15:03:49 +0000 (16:03 +0100)
committer Thomas Pornin <pornin@bolet.org>
Tue, 29 Nov 2016 15:03:49 +0000 (16:03 +0100)
diff --git a/src/symcipher/aes_ct64.c b/src/symcipher/aes_ct64.c

index 981e63d..1523811 100644 (file)
--- a/src/symcipher/aes_ct64.c
+++ b/src/symcipher/aes_ct64.c
@@ -378,7 +378,7 @@ br_aes_ct64_skey_expand(uint64_t *skey,
  {
         unsigned u, v, n;
  
  {
         unsigned u, v, n;
  
-       n = (num_rounds + 1) << 2;
+       n = (num_rounds + 1) << 1;
         for (u = 0, v = 0; u < n; u ++, v += 4) {
                 uint64_t x0, x1, x2, x3;
  
         for (u = 0, v = 0; u < n; u ++, v += 4) {
                 uint64_t x0, x1, x2, x3;
  
diff --git a/src/symcipher/aes_ct64_cbcdec.c b/src/symcipher/aes_ct64_cbcdec.c

index 814dce7..5a7360b 100644 (file)
--- a/src/symcipher/aes_ct64_cbcdec.c
+++ b/src/symcipher/aes_ct64_cbcdec.c
@@ -39,7 +39,7 @@ br_aes_ct64_cbcdec_run(const br_aes_ct64_cbcdec_keys *ctx,
         void *iv, void *data, size_t len)
  {
         unsigned char *buf;
         void *iv, void *data, size_t len)
  {
         unsigned char *buf;
-       uint64_t sk_exp[240];
+       uint64_t sk_exp[120];
         uint32_t ivw[4];
  
         br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
         uint32_t ivw[4];
  
         br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
diff --git a/src/symcipher/aes_ct64_cbcenc.c b/src/symcipher/aes_ct64_cbcenc.c

index e320614..6cb9dec 100644 (file)
--- a/src/symcipher/aes_ct64_cbcenc.c
+++ b/src/symcipher/aes_ct64_cbcenc.c
@@ -39,7 +39,7 @@ br_aes_ct64_cbcenc_run(const br_aes_ct64_cbcenc_keys *ctx,
         void *iv, void *data, size_t len)
  {
         unsigned char *buf;
         void *iv, void *data, size_t len)
  {
         unsigned char *buf;
-       uint64_t sk_exp[240];
+       uint64_t sk_exp[120];
         uint32_t ivw[4];
  
         br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
         uint32_t ivw[4];
  
         br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
diff --git a/src/symcipher/aes_ct64_ctr.c b/src/symcipher/aes_ct64_ctr.c

index 6d5a566..1275873 100644 (file)
--- a/src/symcipher/aes_ct64_ctr.c
+++ b/src/symcipher/aes_ct64_ctr.c
@@ -53,7 +53,7 @@ br_aes_ct64_ctr_run(const br_aes_ct64_ctr_keys *ctx,
  {
         unsigned char *buf;
         uint32_t ivw[16];
  {
         unsigned char *buf;
         uint32_t ivw[16];
-       uint64_t sk_exp[240];
+       uint64_t sk_exp[120];
  
         br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
         br_range_dec32le(ivw, 3, iv);
  
         br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
         br_range_dec32le(ivw, 3, iv);
author	Thomas Pornin <pornin@bolet.org>
	Tue, 29 Nov 2016 15:03:49 +0000 (16:03 +0100)
committer	Thomas Pornin <pornin@bolet.org>
	Tue, 29 Nov 2016 15:03:49 +0000 (16:03 +0100)
src/symcipher/aes_ct64.c		patch \| blob \| history
src/symcipher/aes_ct64_cbcdec.c		patch \| blob \| history
src/symcipher/aes_ct64_cbcenc.c		patch \| blob \| history
src/symcipher/aes_ct64_ctr.c		patch \| blob \| history