From: Guus Sliepen <guus@tinc-vpn.org>
Date: Fri, 3 Jun 2005 10:16:03 +0000 (+0000)
Subject: Prevent possible buffer overflows when using very large (>= 8192 bit) RSA keys.
X-Git-Tag: release-1.0.5~31
X-Git-Url: https://tinc-vpn.org/git/browse?p=tinc;a=commitdiff_plain;h=e810545dc2ae158745624c1575b76c55f883c892

Prevent possible buffer overflows when using very large (>= 8192 bit) RSA keys.
Thanks to Tonnerre Lombard for noticing!
---

diff --git a/THANKS b/THANKS
index 8210465b..2f097d6a 100644
--- a/THANKS
+++ b/THANKS
@@ -23,6 +23,7 @@ We would like to thank the following people for their contributions to tinc:
 * Paul Littlefield
 * Robert van der Meulen
 * Teemu Kiviniemi
+* Tonnerre Lombard
 * Wessel Dankers
 * Wouter van Heyst
 
diff --git a/src/protocol.h b/src/protocol.h
index 100543a1..d6a35be7 100644
--- a/src/protocol.h
+++ b/src/protocol.h
@@ -56,9 +56,12 @@ typedef struct past_request_t {
 
 extern bool tunnelserver;
 
-/* Maximum size of strings in a request */
+/* Maximum size of strings in a request.
+ * scanf terminates %2048s with a NUL character,
+ * but the NUL character can be written after the 2048th non-NUL character.
+ */
 
-#define MAX_STRING_SIZE 2048
+#define MAX_STRING_SIZE 2049
 #define MAX_STRING "%2048s"
 
 #include "edge.h"
diff --git a/src/protocol_auth.c b/src/protocol_auth.c
index 8d4b0329..c44c6d01 100644
--- a/src/protocol_auth.c
+++ b/src/protocol_auth.c
@@ -118,7 +118,7 @@ bool id_h(connection_t *c)
 
 bool send_metakey(connection_t *c)
 {
-	char buffer[MAX_STRING_SIZE];
+	char *buffer;
 	int len;
 	bool x;
 
@@ -128,6 +128,8 @@ bool send_metakey(connection_t *c)
 
 	/* Allocate buffers for the meta key */
 
+	buffer = alloca(2 * len + 1);
+	
 	if(!c->outkey)
 		c->outkey = xmalloc(len);
 
@@ -302,7 +304,7 @@ bool metakey_h(connection_t *c)
 
 bool send_challenge(connection_t *c)
 {
-	char buffer[MAX_STRING_SIZE];
+	char *buffer;
 	int len;
 
 	cp();
@@ -313,6 +315,8 @@ bool send_challenge(connection_t *c)
 
 	/* Allocate buffers for the challenge */
 
+	buffer = alloca(2 * len + 1);
+
 	if(!c->hischallenge)
 		c->hischallenge = xmalloc(len);
 
diff --git a/src/protocol_key.c b/src/protocol_key.c
index a56ff919..e393dd64 100644
--- a/src/protocol_key.c
+++ b/src/protocol_key.c
@@ -142,10 +142,11 @@ bool req_key_h(connection_t *c)
 
 bool send_ans_key(connection_t *c, const node_t *from, const node_t *to)
 {
-	char key[MAX_STRING_SIZE];
+	char *key;
 
 	cp();
 
+	key = alloca(2 * from->keylength + 1);
 	bin2hex(from->key, key, from->keylength);
 	key[from->keylength * 2] = '\0';