From e62bf02a131a14b6ec6ebea3590342a6c8265bbf Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Fri, 2 Nov 2018 13:19:20 -0500 Subject: [PATCH] Don't overflow state->calls on 16TiB RAND_bytes calls. This is an extremely important and practical use case. The comment that state->calls is bounded by the reseed interval isn't quite true. We only check on entry to the function, which means that it may exceed it by one call's worth. Switch it to a size_t (which doesn't actually increase memory because the struct was already padded). Change-Id: Ia7646fd5b4142789c1d613280223baa4cd1a4a9b Reviewed-on: https://boringssl-review.googlesource.com/c/32804 Commit-Queue: David Benjamin Commit-Queue: Adam Langley Reviewed-by: Adam Langley CQ-Verified: CQ bot account: commit-bot@chromium.org --- crypto/fipsmodule/rand/rand.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/crypto/fipsmodule/rand/rand.c b/crypto/fipsmodule/rand/rand.c index 02e63bc7..e6b4bb48 100644 --- a/crypto/fipsmodule/rand/rand.c +++ b/crypto/fipsmodule/rand/rand.c @@ -109,8 +109,9 @@ struct rand_state { // next forms a NULL-terminated linked-list of all free |rand_state| objects. struct rand_state *next; // calls is the number of generate calls made on |drbg| since it was last - // (re)seeded. This is bound by |kReseedInterval|. - unsigned calls; + // (re)seeded. This is bound by + // |kReseedInterval - 1 + SIZE_MAX / CTR_DRBG_MAX_GENERATE_LENGTH|. + size_t calls; #if defined(BORINGSSL_FIPS) // next_all forms another NULL-terminated linked-list, this time of all @@ -351,6 +352,8 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len, out += todo; out_len -= todo; + // Though we only check before entering the loop, this cannot add enough to + // overflow a |size_t|. state->calls++; first_call = 0; }