[tor-commits] [tor/release-0.3.2] Fix mock_crypto_pk_public_checksig__nocheck() to handle short RSA keys

[nickm at torproject.org]

commit a7ca71cf6b2fb46b049442569188ce046cfd6c34
Author: Nick Mathewson <nickm at torproject.org>
Date:   Sat Nov 11 14:42:39 2017 -0500

    Fix mock_crypto_pk_public_checksig__nocheck() to handle short RSA keys
    
    This function -- a mock replacement used only for fuzzing -- would
    have a buffer overflow if it got an RSA key whose modulus was under
    20 bytes long.
    
    Fortunately, Tor itself does not appear to have a bug here.
    
    Fixes bug 24247; bugfix on 0.3.0.3-alpha when fuzzing was
    introduced.  Found by OSS-Fuzz; this is OSS-Fuzz issue 4177.
---
 changes/bug24247               | 6 ++++++
 src/test/fuzz/fuzzing_common.c | 5 +++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/changes/bug24247 b/changes/bug24247
new file mode 100644
index 000000000..1f4ddcdde
--- /dev/null
+++ b/changes/bug24247
@@ -0,0 +1,6 @@
+  o Minor bugfixes (fuzzing):
+    - Fix a bug in our fuzzing mock replacement for crypto_pk_checksig(), to
+      correctly handle cases where a caller gives it an RSA key of under 160
+      bits. (This is not actually a bug in Tor itself, but wrather in our
+      fuzzing code.)  Fixes bug 24247; bugfix on 0.3.0.3-alpha.
+      Found by OSS-Fuzz as issue 4177.
diff --git a/src/test/fuzz/fuzzing_common.c b/src/test/fuzz/fuzzing_common.c
index 7ebddde1a..1e98eb6c8 100644
--- a/src/test/fuzz/fuzzing_common.c
+++ b/src/test/fuzz/fuzzing_common.c
@@ -28,8 +28,9 @@ mock_crypto_pk_public_checksig__nocheck(const crypto_pk_t *env, char *to,
   (void)fromlen;
   /* We could look at from[0..fromlen-1] ... */
   tor_assert(tolen >= crypto_pk_keysize(env));
-  memset(to, 0x01, 20);
-  return 20;
+  size_t siglen = MIN(20, crypto_pk_keysize(env));
+  memset(to, 0x01, siglen);
+  return (int)siglen;
 }
 
 static int