From a847a4c84b68c5d72c662198487a3ea96b0e1e1f Mon Sep 17 00:00:00 2001 From: Gabriele Gristina Date: Sat, 31 Jul 2021 14:38:14 +0200 Subject: [PATCH] Fixed multiple buffer overflow in DPAPI masterkey file v2 module --- docs/changes.txt | 1 + src/modules/module_15900.c | 6 ++---- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/changes.txt b/docs/changes.txt index 1ab36e2df..fc2638a55 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -14,6 +14,7 @@ - Fixed autotune unitialized tmps variable for slow hashes by calling _init kernel before calling _loop kernel - Fixed datatype in function sha384_hmac_init_vector_128() that could come into effect if vector datatype was manually set - Fixed false negative in all VeraCrypt hash-modes if both conditions are met: 1. use CPU for cracking and 2. PIM range was used +- Fixed multiple buffer overflow in DPAPI masterkey file v2 module ## ## Improvements diff --git a/src/modules/module_15900.c b/src/modules/module_15900.c index b07809107..155255a51 100644 --- a/src/modules/module_15900.c +++ b/src/modules/module_15900.c @@ -212,9 +212,7 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE dpapimk->context = hc_strtoul ((const char *) context_pos, NULL, 10); - // division by 4 should be fine because contents_len is either 208 or 288 - - for (u32 i = 0; i < dpapimk->contents_len / 4; i++) + for (u32 i = 0; i < dpapimk->contents_len / 8; i++) { dpapimk->contents[i] = hex_to_u32 ((const u8 *) &contents_pos[i * 8]); @@ -303,7 +301,7 @@ int module_hash_encode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE SID_tmp = (u8 *) hcmalloc ((SID_len + 1) * sizeof (u8)); - for (u32 i = 0; i < (SID_len / 4) + 1; i++) + for (u32 i = 0; i < (SID_len / 4); i++) { u8 hex[8] = { 0 };