-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: cipher update process crash with input of max int32 length #45757
Comments
cc @nodejs/crypto |
|
I'll work on it. If need help can I bother you @panva ? |
It's a signed integer overflow, caused by openssl using ints for sizes and node mixing This particular issue isn't that hard to fix but it's probably just one of many similar bugs lurking in src/crypto. |
Here is a quick fix: diff --git a/src/crypto/crypto_cipher.cc b/src/crypto/crypto_cipher.cc
index b907e9e9cdc..2259e28bec8 100644
--- a/src/crypto/crypto_cipher.cc
+++ b/src/crypto/crypto_cipher.cc
@@ -803,7 +803,11 @@ CipherBase::UpdateResult CipherBase::Update(
if (kind_ == kDecipher && IsAuthenticatedMode())
CHECK(MaybePassAuthTagToOpenSSL());
- int buf_len = len + EVP_CIPHER_CTX_block_size(ctx_.get());
+ const int block_size = EVP_CIPHER_CTX_block_size(ctx_.get());
+ CHECK_GT(block_size, 0);
+ if (len + block_size > INT_MAX) return kErrorState;
+
+ int buf_len = len + block_size;
// For key wrapping algorithms, get output size by calling
// EVP_CipherUpdate() with null output.
if (kind_ == kCipher && mode == EVP_CIPH_WRAP_MODE && Note: |
@marco-ippolito absolutely, go for it. |
PR-URL: nodejs#45769 Fixes: nodejs#45757 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Version
v18.12.0
Platform
No response
Subsystem
crypto
What steps will reproduce the bug?
How often does it reproduce? Is there a required condition?
Every time.
What is the expected behavior?
Throw a normal catchable error like
size>=2**31
do, or work right likesize<=2**31
.What do you see instead?
Only
size===2**31-1
will cause an uncatchable process crash.Additional information
No response
The text was updated successfully, but these errors were encountered: