Fix mock_crypto_pk_public_checksig__nocheck() to handle short RSA keys

This function -- a mock replacement used only for fuzzing -- would have a buffer overflow if it got an RSA key whose modulus was under 20 bytes long. Fortunately, Tor itself does not appear to have a bug here. Fixes bug 24247; bugfix on 0.3.0.3-alpha when fuzzing was introduced. Found by OSS-Fuzz; this is OSS-Fuzz issue 4177.
author: Nick Mathewson <nickm@torproject.org> 2017-11-11 14:42:39 -0500
committer: Nick Mathewson <nickm@torproject.org> 2017-11-11 14:44:45 -0500
commit: a7ca71cf6b2fb46b049442569188ce046cfd6c34 (patch)
tree: 371524ee86ff1266006f49255c98896e6b778bd0 /src/test/fuzz
parent: 512dfa15edf9723cb5bfa2b86d5658e320496445 (diff)
download: tor-a7ca71cf6b2fb46b049442569188ce046cfd6c34.tar.gz
tor-a7ca71cf6b2fb46b049442569188ce046cfd6c34.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/src/test/fuzz/fuzzing_common.c b/src/test/fuzz/fuzzing_common.c
index 7ebddde1a8..1e98eb6c85 100644
--- a/src/test/fuzz/fuzzing_common.c
+++ b/src/test/fuzz/fuzzing_common.c
@@ -28,8 +28,9 @@ mock_crypto_pk_public_checksig__nocheck(const crypto_pk_t *env, char *to,
   (void)fromlen;
   /* We could look at from[0..fromlen-1] ... */
   tor_assert(tolen >= crypto_pk_keysize(env));
-  memset(to, 0x01, 20);
-  return 20;
+  size_t siglen = MIN(20, crypto_pk_keysize(env));
+  memset(to, 0x01, siglen);
+  return (int)siglen;
 }
 
 static int
author	Nick Mathewson <nickm@torproject.org>	2017-11-11 14:42:39 -0500
committer	Nick Mathewson <nickm@torproject.org>	2017-11-11 14:44:45 -0500
commit	a7ca71cf6b2fb46b049442569188ce046cfd6c34 (patch)
tree	371524ee86ff1266006f49255c98896e6b778bd0 /src/test/fuzz
parent	512dfa15edf9723cb5bfa2b86d5658e320496445 (diff)
download	tor-a7ca71cf6b2fb46b049442569188ce046cfd6c34.tar.gz tor-a7ca71cf6b2fb46b049442569188ce046cfd6c34.zip