From 3cfe366cc07534c287cacd1c21ff44eed7f51bfc Mon Sep 17 00:00:00 2001
From: Giacomo Tesio <giacomo@tesio.it>
Date: Tue, 17 Jan 2017 20:21:57 +0100
Subject: [PATCH] libsec: fix out of bound write (CID 155904)

In aesXCBCmac fix (potential) out of bound write in padding.

CID 155904 (#1 of 1): Out-of-bounds write (OVERRUN)
7. overrun-local: Overrunning array of 16 bytes at byte offset 16 by dereferencing pointer p2++.
---
 sys/src/lib/sec/port/aes.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/src/lib/sec/port/aes.c b/sys/src/lib/sec/port/aes.c
index 1d09e64..b6cd6d3 100644
--- a/sys/src/lib/sec/port/aes.c
+++ b/sys/src/lib/sec/port/aes.c
@@ -142,12 +142,12 @@ aesXCBCmac(uint8_t *p, int len, AESstate *s)
 	/* the last one */
 
 	memmove(q, p, len);
-	p2 = q+len;
 	if(len == AESbsize)
 		mackey = s->mackey + AESbsize;	/* k2 */
 	else{
 		mackey = s->mackey+2*AESbsize;	/* k3 */
-		*p2++ = 1 << 7;			/* padding */
+		p2 = q+len;			/* padding */
+		*p2++ = 1 << 7;
 		len = AESbsize - len - 1;
 		memset(p2, 0, len);
 	}