Change the sodium_pad() API to accept a maximum buffer length

Of course, this is not required. Just like `strcat()` can be used safely. But since the cost of this extra check is negligible, better return `-1` than potentially overwrite unrelated memory locations.
2017-08-17 17:23:53 +02:00 · 2017-08-17 17:23:53 +02:00 · b9ed93fcb8
commit b9ed93fcb8
parent 4fd66e3ad7
2 changed files with 5 additions and 2 deletions
--- a/src/libsodium/include/sodium/utils.h
+++ b/src/libsodium/include/sodium/utils.h
@ -138,7 +138,7 @@ int sodium_mprotect_readwrite(void *ptr);

 SODIUM_EXPORT
 int sodium_pad(size_t *padded_buflen_p, unsigned char *buf,
-               size_t unpadded_buflen, size_t blocksize);
+               size_t unpadded_buflen, size_t blocksize, size_t max_buflen);

 SODIUM_EXPORT
 int sodium_unpad(size_t *unpadded_buflen_p, const unsigned char *buf,
--- a/src/libsodium/sodium/utils.c
+++ b/src/libsodium/sodium/utils.c
@ -622,7 +622,7 @@ sodium_mprotect_readwrite(void *ptr)

 int
 sodium_pad(size_t *padded_buflen_p, unsigned char *buf,
-           size_t unpadded_buflen, size_t blocksize)
+           size_t unpadded_buflen, size_t blocksize, size_t max_buflen)
 {
    unsigned char          *tail;
    size_t                  i;
@ -644,6 +644,9 @@ sodium_pad(size_t *padded_buflen_p, unsigned char *buf,
        sodium_misuse();
    }
    xpadded_len = unpadded_buflen + xpadlen;
+    if (xpadded_len >= max_buflen) {
+        return -1;
+    }
    tail = &buf[xpadded_len];
    *padded_buflen_p = xpadded_len + 1U;
    mask = 0U;