From: Richard Levitte <levitte@openssl.org>
Date: Fri, 4 Nov 2016 13:21:46 +0000 (+0100)
Subject: chacha20/poly1305: make sure to clear the buffer at correct position
X-Git-Tag: OpenSSL_1_1_0c~8
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=99d97842ddb5fbbbfb5e9820a64ebd19afe569f6;p=oweals%2Fopenssl.git

chacha20/poly1305: make sure to clear the buffer at correct position

The offset to the memory to clear was incorrect, causing a heap buffer
overflow.

CVE-2016-7054

Thanks to Robert Święcki for reporting this

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit b8e4011fb26364e44230946b87ab38cc1c719aae)
---

diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c
index cf4097ba5d..952bd3fca7 100644
--- a/crypto/evp/e_chacha20_poly1305.c
+++ b/crypto/evp/e_chacha20_poly1305.c
@@ -299,7 +299,7 @@ static int chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                 memcpy(out, actx->tag, POLY1305_BLOCK_SIZE);
             } else {
                 if (CRYPTO_memcmp(temp, in, POLY1305_BLOCK_SIZE)) {
-                    memset(out, 0, plen);
+                    memset(out - plen, 0, plen);
                     return -1;
                 }
             }