libsec: fix out of bound write (CID 155904)

In aesXCBCmac fix (potential) out of bound write in padding. CID 155904 (#1 of 1): Out-of-bounds write (OVERRUN) 7. overrun-local: Overrunning array of 16 bytes at byte offset 16 by dereferencing pointer p2++.
2017-01-17 20:21:57 +01:00 · 2017-01-17 20:21:57 +01:00 · 3cfe366cc0
parent 06376d5859
commit 3cfe366cc0
1 changed files with 2 additions and 2 deletions
--- a/sys/src/lib/sec/port/aes.c
+++ b/sys/src/lib/sec/port/aes.c
@ -142,12 +142,12 @@ aesXCBCmac(uint8_t *p, int len, AESstate *s)
 	/* the last one */

 	memmove(q, p, len);
-	p2 = q+len;
 	if(len == AESbsize)
 		mackey = s->mackey + AESbsize;	/* k2 */
 	else{
 		mackey = s->mackey+2*AESbsize;	/* k3 */
-		*p2++ = 1 << 7;			/* padding */
+		p2 = q+len;			/* padding */
+		*p2++ = 1 << 7;
 		len = AESbsize - len - 1;
 		memset(p2, 0, len);
 	}