From 463eaeb308230033e7c1e8d3b11ee480b5fede28 Mon Sep 17 00:00:00 2001 From: Bill Richardson Date: Mon, 30 Jul 2012 15:22:56 -0700 Subject: [PATCH] security: Avoid integer wrap on 32-bit platforms This could wrap before the assignment: uint64_t = uint32_t * int; Instead: uint64_t = uint32_t; uint64_t *= int; BUG=chrome-os-partner:11643 TEST=none Nothing to test or verify. If the security guys approve, it's fixed. Change-Id: Ib7c9774998332ac1a29c4551bc039eaa999ee681 Signed-off-by: Bill Richardson Reviewed-on: https://gerrit.chromium.org/gerrit/28841 Reviewed-by: Gaurav Shah --- firmware/lib/cryptolib/rsa_utility.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/firmware/lib/cryptolib/rsa_utility.c b/firmware/lib/cryptolib/rsa_utility.c index 9da920ccf7..ab4650c0ac 100644 --- a/firmware/lib/cryptolib/rsa_utility.c +++ b/firmware/lib/cryptolib/rsa_utility.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. * @@ -51,7 +51,9 @@ RSAPublicKey* RSAPublicKeyFromBuf(const uint8_t* buf, uint64_t len) { StatefulInit(&st, (void*)buf, len); StatefulMemcpy(&st, &key->len, sizeof(key->len)); - key_len = key->len * sizeof(uint32_t); /* key length in bytes. */ + /* key length in bytes (avoiding possible 32-bit rollover) */ + key_len = key->len; + key_len *= sizeof(uint32_t); /* Sanity Check the key length. */ if (RSA1024NUMBYTES != key_len &&