Fix security bugs: remotely caused buffer overflows (#1382).

data61 · Apr 24, 2024 · 6ce15d4 · 6ce15d4
1 parent f86ce7c
commit 6ce15d4
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 3 deletions.
diff --git a/OT/BaseOT.cpp b/OT/BaseOT.cpp
@@ -146,6 +146,7 @@ void BaseOT::exec_base(bool new_receiver_inputs)
     if (ot_role & RECEIVER)
     {
         // Receive A
+        len = sizeof(receiver.S_pack);
         os[1].get_bytes((octet*) receiver.S_pack, len);
         if (len != HASHBYTES)
         {
@@ -208,6 +209,7 @@ void BaseOT::exec_base(bool new_receiver_inputs)
         if (ot_role & SENDER)
         {
             // Receive B
+            len = sizeof(Rs_pack[1]);
             os[1].get_bytes((octet*) Rs_pack[1], len);
             if (len != sizeof(Rs_pack[1]))
             {

diff --git a/OT/OTExtensionWithMatrix.cpp b/OT/OTExtensionWithMatrix.cpp
@@ -131,7 +131,7 @@ void OTExtensionWithMatrix::extend(int nOTs_requested, const BitVector& newRecei
     channel->send("hello", 6);
     char buf[6];
     channel->recv(buf, 6);
-    assert(buf == string("hello"));
+    assert(string(buf, 5) == string("hello"));
 #endif
 }
 

diff --git a/Tools/octetStream.cpp b/Tools/octetStream.cpp
@@ -143,7 +143,9 @@ void octetStream::store_bytes(octet* x, const size_t l)
 
 void octetStream::get_bytes(octet* ans, size_t& length)
 {
-  length = get_int(4);
+  auto rec_length = get_int(4);
+  if (rec_length != length)
+    throw runtime_error("unexpected length");
   memcpy(ans, consume(length), length * sizeof(octet));
 }
 

diff --git a/deps/libOTe b/deps/libOTe