chacha20/poly1305: make sure to clear the buffer at correct position

The offset to the memory to clear was incorrect, causing a heap buffer overflow. CVE-2016-7054 Thanks to Robert Święcki for reporting this Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Richard Levitte <levitte@openssl.org> 2016-11-04 14:21:46 +0100
committer: Matt Caswell <matt@openssl.org> 2016-11-10 13:04:11 +0000
commit: bf52165bda53524a267c784696bd074111a2f178 (patch)
tree: 710c07a4175062ccf8352192dfd797bb657cc558
parent: a54aba531327285f64cf13a909bc129e9f9d5970 (diff)
download: openssl-bf52165bda53524a267c784696bd074111a2f178.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c
index cf4097ba5d..952bd3fca7 100644
--- a/crypto/evp/e_chacha20_poly1305.c
+++ b/crypto/evp/e_chacha20_poly1305.c
@@ -299,7 +299,7 @@ static int chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                 memcpy(out, actx->tag, POLY1305_BLOCK_SIZE);
             } else {
                 if (CRYPTO_memcmp(temp, in, POLY1305_BLOCK_SIZE)) {
-                    memset(out, 0, plen);
+                    memset(out - plen, 0, plen);
                     return -1;
                 }
             }
author	Richard Levitte <levitte@openssl.org>	2016-11-04 14:21:46 +0100
committer	Matt Caswell <matt@openssl.org>	2016-11-10 13:04:11 +0000
commit	bf52165bda53524a267c784696bd074111a2f178 (patch)
tree	710c07a4175062ccf8352192dfd797bb657cc558
parent	a54aba531327285f64cf13a909bc129e9f9d5970 (diff)
download	openssl-bf52165bda53524a267c784696bd074111a2f178.tar.gz