From 6ce15d4e79f3b9c6897e3ee72b5580ce720e5606 Mon Sep 17 00:00:00 2001 From: Marcel Keller Date: Wed, 24 Apr 2024 13:03:21 +1000 Subject: [PATCH] Fix security bugs: remotely caused buffer overflows (#1382). --- OT/BaseOT.cpp | 2 ++ OT/OTExtensionWithMatrix.cpp | 2 +- Tools/octetStream.cpp | 4 +++- deps/libOTe | 2 +- 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/OT/BaseOT.cpp b/OT/BaseOT.cpp index 4df297e68..be5e2ad87 100644 --- a/OT/BaseOT.cpp +++ b/OT/BaseOT.cpp @@ -146,6 +146,7 @@ void BaseOT::exec_base(bool new_receiver_inputs) if (ot_role & RECEIVER) { // Receive A + len = sizeof(receiver.S_pack); os[1].get_bytes((octet*) receiver.S_pack, len); if (len != HASHBYTES) { @@ -208,6 +209,7 @@ void BaseOT::exec_base(bool new_receiver_inputs) if (ot_role & SENDER) { // Receive B + len = sizeof(Rs_pack[1]); os[1].get_bytes((octet*) Rs_pack[1], len); if (len != sizeof(Rs_pack[1])) { diff --git a/OT/OTExtensionWithMatrix.cpp b/OT/OTExtensionWithMatrix.cpp index 409a4f995..b778b7195 100644 --- a/OT/OTExtensionWithMatrix.cpp +++ b/OT/OTExtensionWithMatrix.cpp @@ -131,7 +131,7 @@ void OTExtensionWithMatrix::extend(int nOTs_requested, const BitVector& newRecei channel->send("hello", 6); char buf[6]; channel->recv(buf, 6); - assert(buf == string("hello")); + assert(string(buf, 5) == string("hello")); #endif } diff --git a/Tools/octetStream.cpp b/Tools/octetStream.cpp index d028cd2c3..c36db64a8 100644 --- a/Tools/octetStream.cpp +++ b/Tools/octetStream.cpp @@ -143,7 +143,9 @@ void octetStream::store_bytes(octet* x, const size_t l) void octetStream::get_bytes(octet* ans, size_t& length) { - length = get_int(4); + auto rec_length = get_int(4); + if (rec_length != length) + throw runtime_error("unexpected length"); memcpy(ans, consume(length), length * sizeof(octet)); } diff --git a/deps/libOTe b/deps/libOTe index 3c1a60029..cd89232ff 160000 --- a/deps/libOTe +++ b/deps/libOTe @@ -1 +1 @@ -Subproject commit 3c1a60029f097ff794b8a88ce1215cff7eb76628 +Subproject commit cd89232ffac74286a4963d93480db44cbf604c41