From: Nick Mathewson <nickm@torproject.org>
Date: Fri, 26 Sep 2014 13:06:36 +0000 (-0400)
Subject: Check key_len in secret_to_key_new()
X-Git-Tag: tor-0.2.6.1-alpha~83
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7c52a0555aee23f171870c5d41ce3c0f593c2e57;p=thirdparty%2Ftor.git

Check key_len in secret_to_key_new()

This bug shouldn't be reachable so long as secret_to_key_len and
secret_to_key_make_specifier stay in sync, but we might screw up
someday.

Found by coverity; this is CID 1241500
---

diff --git a/src/common/crypto_s2k.c b/src/common/crypto_s2k.c
index 93c96e74ae..aef8436ad9 100644
--- a/src/common/crypto_s2k.c
+++ b/src/common/crypto_s2k.c
@@ -392,6 +392,9 @@ secret_to_key_new(uint8_t *buf,
   type = buf[0];
   key_len = secret_to_key_key_len(type);
 
+  if (key_len < 0)
+    return key_len;
+
   if ((int)buf_len < key_len + spec_len)
     return S2K_TRUNCATED;