Potential integer overflow (RiotSha1) #27
Description
Leaving this here as a reminder. SHA1 update is always called with a constant value or hardcoded size, but this should still be fixed.
typedef struct _RIOT_SHA1_CONTEXT {
sha1_quadbyte count[2];
sha1_byte buffer[64];
} RIOT_SHA1_CONTEXT;
void RIOT_SHA1_Update(RIOT_SHA1_CONTEXT *context, const char *data, unsigned int len) {
unsigned int j = (context->count[0] >> 3) & 63; //j =0..63
if ((j + len) > 63) // <--- int overflow INT_MAX + len < 63
{ do something}
else
memcpy(&context->buffer[j], &data[i], len - i); } //i = 0