[SUPPORT-112] Possible integer overflow in hsm_get_key_size_ecdsa - OpenDNSSEC

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: OpenDNSSEC 2.0
Fix Version/s: None
Component/s: PKCS#11 Interface
Labels:
None

Description

Since revision 7493, function hsm_get_key_size_ecdsa contains a possible integer overflow.

The bits variable is calculated by multiplying by 4 (8/2) the value_len returned by hsm_get_key_ecdsa_value. If the HSM cannot be trusted, this value cannot be trusted either.

This means that an adversarial HSM could return a very large value_len, thus causing the multiplication by 4 to overflow, resulting in a incorrect returned value.

Although, I have not found any potential vulnerability relying on this overflow, a integer overflow check should be performed as the return value of this function could very well be used, someday, to do something more complex than just displaying the (wrong) result.

A quick and very dirty fix can be found in attachment.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

ecdsa_size_intoverflow.patch
0.3 kB
2013-12-24 13:14

Issue Links

is cloned by

OPENDNSSEC-540 Possible integer overflow in hsm_get_key_size_ecdsa

Closed

Activity

People

Assignee:: Jakob Schlyter

Reporter:: Florian Maury

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2013-12-24 13:14

Updated:: 2014-10-26 08:16

Resolved:: 2014-02-13 06:09