commit 7c52a0555aee23f171870c5d41ce3c0f593c2e57 Author: Nick Mathewson nickm@torproject.org Date: Fri Sep 26 09:06:36 2014 -0400

Check key_len in secret_to_key_new()

This bug shouldn't be reachable so long as secret_to_key_len and secret_to_key_make_specifier stay in sync, but we might screw up someday.

Found by coverity; this is CID 1241500 --- src/common/crypto_s2k.c | 3 +++ 1 file changed, 3 insertions(+)

diff --git a/src/common/crypto_s2k.c b/src/common/crypto_s2k.c index 93c96e7..aef8436 100644 --- a/src/common/crypto_s2k.c +++ b/src/common/crypto_s2k.c @@ -392,6 +392,9 @@ secret_to_key_new(uint8_t *buf, type = buf[0]; key_len = secret_to_key_key_len(type);

+ if (key_len < 0) + return key_len; + if ((int)buf_len < key_len + spec_len) return S2K_TRUNCATED;