(Bug) Buffer overrun in gcry_cipher_gettag

Peter Wu peter at lekensteyn.nl
Tue Mar 22 11:08:44 CET 2016


Hi,

While working on a Lua binding to libgcrypt[1], I found that some
implementations of the gcry_cipher_gettag routine do not properly
validate their tag length.

Originally found in GCM, it seems that OCB and Poly1305 are also
affected. Their code look like this:

    _gcry_cipher_ocb_get_tag (gcry_cipher_hd_t c,
                              unsigned char *outtag, size_t outtagsize)
    {
      if (c->u_mode.ocb.taglen > outtagsize)
        return GPG_ERR_BUFFER_TOO_SHORT;
    ...

      memcpy (outtag, c->u_mode.ocb.tag, c->u_mode.ocb.taglen);
    ...
    }

That is, a lower bound is checked, but the upper bound is not. Result:
memcpy (or memcmp) outside their buffers.

Unaffected modes are:
 - CCM: returns GCRY_ERR_INV_LENGTH
 - CMAC: returns GCRY_ERR_INV_ARG
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl

 [1]: https://github.com/Lekensteyn/luagcrypt



More information about the Gcrypt-devel mailing list