Fix bug where memcpy could overrun buffer

author: Nick ODell <nickodell@gmail.com> 2013-08-02 13:21:02 -0600
committer: Nick ODell <nickodell@gmail.com> 2013-08-02 13:40:56 -0600
commit: 8d1f7753f679b12a8e57f8b5c4b529bb627ba6c5 (patch)
tree: 11289443c855d76ed1e80360a8db241e48e17164 /core
parent: eba7fdb9ba0dc76a06098c03a80fb218b2c53cc3 (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/core/net_crypto.c b/core/net_crypto.c
index 31fb24be..3233d875 100644
--- a/core/net_crypto.c
+++ b/core/net_crypto.c
@@ -69,8 +69,8 @@ int encrypt_data(uint8_t *public_key, uint8_t *secret_key, uint8_t *nonce,
    if (length - crypto_box_BOXZEROBYTES + crypto_box_ZEROBYTES > MAX_DATA_SIZE || length == 0)
        return -1;
-    uint8_t temp_plain[MAX_DATA_SIZE + crypto_box_ZEROBYTES - crypto_box_BOXZEROBYTES] = {0};
+    uint8_t temp_plain[MAX_DATA_SIZE + crypto_box_BOXZEROBYTES] = {0};
-    uint8_t temp_encrypted[MAX_DATA_SIZE + crypto_box_ZEROBYTES];
+    uint8_t temp_encrypted[MAX_DATA_SIZE + crypto_box_BOXZEROBYTES];
    memcpy(temp_plain + crypto_box_ZEROBYTES, plain, length); /* pad the message with 32 0 bytes. */
@@ -101,8 +101,8 @@ int decrypt_data(uint8_t *public_key, uint8_t *secret_key, uint8_t *nonce,
    if (length > MAX_DATA_SIZE || length <= crypto_box_BOXZEROBYTES)
        return -1;
-    uint8_t temp_plain[MAX_DATA_SIZE - crypto_box_ZEROBYTES + crypto_box_BOXZEROBYTES];
+    uint8_t temp_plain[MAX_DATA_SIZE + crypto_box_BOXZEROBYTES];
-    uint8_t temp_encrypted[MAX_DATA_SIZE + crypto_box_ZEROBYTES] = {0};
+    uint8_t temp_encrypted[MAX_DATA_SIZE + crypto_box_BOXZEROBYTES] = {0};
    memcpy(temp_encrypted + crypto_box_BOXZEROBYTES, encrypted, length); /* pad the message with 16 0 bytes. */
author	Nick ODell <nickodell@gmail.com>	2013-08-02 13:21:02 -0600
committer	Nick ODell <nickodell@gmail.com>	2013-08-02 13:40:56 -0600
commit	8d1f7753f679b12a8e57f8b5c4b529bb627ba6c5 (patch)
tree	11289443c855d76ed1e80360a8db241e48e17164 /core
parent	eba7fdb9ba0dc76a06098c03a80fb218b2c53cc3 (diff)

diff --git a/core/net_crypto.c b/core/net_crypto.c index 31fb24be..3233d875 100644 --- a/core/net_crypto.c +++ b/core/net_crypto.c
@@ -69,8 +69,8 @@ int encrypt_data(uint8_t public_key, uint8_t secret_key, uint8_t *nonce,
69	if (length - crypto_box_BOXZEROBYTES + crypto_box_ZEROBYTES > MAX_DATA_SIZE \|\| length == 0)	69	if (length - crypto_box_BOXZEROBYTES + crypto_box_ZEROBYTES > MAX_DATA_SIZE \|\| length == 0)
70	return -1;	70	return -1;
71		71
72	uint8_t temp_plain[MAX_DATA_SIZE + crypto_box_ZEROBYTES - crypto_box_BOXZEROBYTES] = {0};	72	uint8_t temp_plain[MAX_DATA_SIZE + crypto_box_BOXZEROBYTES] = {0};
73	uint8_t temp_encrypted[MAX_DATA_SIZE + crypto_box_ZEROBYTES];	73	uint8_t temp_encrypted[MAX_DATA_SIZE + crypto_box_BOXZEROBYTES];
74		74
75	memcpy(temp_plain + crypto_box_ZEROBYTES, plain, length); /* pad the message with 32 0 bytes. */	75	memcpy(temp_plain + crypto_box_ZEROBYTES, plain, length); /* pad the message with 32 0 bytes. */
76		76
@@ -101,8 +101,8 @@ int decrypt_data(uint8_t public_key, uint8_t secret_key, uint8_t *nonce,
101	if (length > MAX_DATA_SIZE \|\| length <= crypto_box_BOXZEROBYTES)	101	if (length > MAX_DATA_SIZE \|\| length <= crypto_box_BOXZEROBYTES)
102	return -1;	102	return -1;
103		103
104	uint8_t temp_plain[MAX_DATA_SIZE - crypto_box_ZEROBYTES + crypto_box_BOXZEROBYTES];	104	uint8_t temp_plain[MAX_DATA_SIZE + crypto_box_BOXZEROBYTES];
105	uint8_t temp_encrypted[MAX_DATA_SIZE + crypto_box_ZEROBYTES] = {0};	105	uint8_t temp_encrypted[MAX_DATA_SIZE + crypto_box_BOXZEROBYTES] = {0};
106		106
107	memcpy(temp_encrypted + crypto_box_BOXZEROBYTES, encrypted, length); /* pad the message with 16 0 bytes. */	107	memcpy(temp_encrypted + crypto_box_BOXZEROBYTES, encrypted, length); /* pad the message with 16 0 bytes. */
108		108