RCrypto: segfault on running "-E blowfish"

[kishorbhat]

Command $ rahash2 -S "abc" -E blowfish -s "testing" results in a segmentation fault.

Relevant code is here.
Suspicions are on invalid assumptions regarding the key, but there may be other issues.

[zonkzonk]

So SetHashString takes two arguments?

[crowell]

r_crypto_final (cry, NULL, 0);
return (cry && cry->h && cry->h->final)? cry->h->final (cry, buf, len): 0;
return update (cry, buf, len);
blowfish_crypt (&st, buf, obuf, len);
nice, buf is null
left = (inbuf[0] << 24 | inbuf[1] << 16 | inbuf[2] << 8 | inbuf[3]);
segfault.

[alvarofe]

yes, in blowfish_crypt keylen is 3 but it assumes outbuf of size 8 so is a oob write. Can you fix it @therealkbhat ?

[kishorbhat]

@alvarofe yes, I'll fix this soon.

[radare]

any update on this?

On Sun, Mar 13, 2016 at 9:01 AM Kishor Bhat [email protected]
wrote:

@alvarofe https://github.com/alvarofe yes, I'll fix this soon.

—
Reply to this email directly or view it on GitHub
#4287 (comment).

[kishorbhat]

@radare Sorry, I was occupied over the weekend.

I'm having trouble debugging this. The code operates on key and plaintext string as hex bytes.

Even with $ rahash2 -E blowfish -S "aaaaaaaa" -s "aaaaaaaa", it produces one block (8 bytes) of ciphertext. However, it calls blowfish_crypt on the "next" block, which doesn't exist, and it segfaults. len gets set to 0, and update is called again. Why?

Also, @crowell , I don't see the null. :/

[radare]

anyway, tired of waiting I pushed the one-line fix.

[radare]

23af75f

[XVilka]

Has just been disabled, still require proper fix, @therealkbhat

[radare]

Define proper fix. Probably needs proper testing, nothing more, or maybe im missing something. the null deref was pretty clear. and it misses an error message maybe, but not much more imho.

Also, im aware decryption doesnt works because the function is not referenced anywhere, but this is unrelated to this issue

[Maijin]

I have unchecked the blowfish support in main issue then #4254