diff --git a/src/analyzer/protocol/quic/decrypt_crypto.cc b/src/analyzer/protocol/quic/decrypt_crypto.cc index efe83c5343..fa496413ae 100644 --- a/src/analyzer/protocol/quic/decrypt_crypto.cc +++ b/src/analyzer/protocol/quic/decrypt_crypto.cc @@ -152,7 +152,7 @@ Function that calls the AEAD decryption routine, and returns the decrypted data. */ hilti::rt::Bytes decrypt(const std::vector& client_key, const hilti::rt::Bytes& all_data, uint64_t payload_length, const DecryptionInformation& decryptInfo) { - int out, out2, res; + int out, out2; if ( payload_length < decryptInfo.packet_number_length + AEAD_TAG_LENGTH ) throw hilti::rt::RuntimeError(hilti::rt::fmt("payload too small %ld < %ld", payload_length, @@ -202,7 +202,8 @@ hilti::rt::Bytes decrypt(const std::vector& client_key, const hilti::rt EVP_CipherUpdate(ctx, decrypt_buffer.data(), &out, encrypted_payload, encrypted_payload_size); // Validate whether the decryption was successful or not - EVP_CipherFinal_ex(ctx, NULL, &out2); + if ( EVP_CipherFinal_ex(ctx, NULL, &out2) == 0 ) + throw hilti::rt::RuntimeError("decryption failed"); // Copy the decrypted data from the decrypted buffer into a Bytes instance. return hilti::rt::Bytes(decrypt_buffer.data(), decrypt_buffer.data() + out); diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/analyzer.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/analyzer.log.cut new file mode 100644 index 0000000000..1a3b7336c7 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/analyzer.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid cause analyzer_kind analyzer_name failure_reason +1733909795.417573 C4J4Th3PJpwUYZZ6gc violation protocol QUIC decryption failed (<...>/QUIC.spicy:) diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/conn.log.cut new file mode 100644 index 0000000000..e9151b0dee --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/conn.log.cut @@ -0,0 +1,5 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid proto history service +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h udp D - +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc udp D - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 tcp F ftp diff --git a/testing/btest/Traces/quic/383379789-decrypt-crash.pcap b/testing/btest/Traces/quic/383379789-decrypt-crash.pcap new file mode 100644 index 0000000000..aeb9808508 Binary files /dev/null and b/testing/btest/Traces/quic/383379789-decrypt-crash.pcap differ diff --git a/testing/btest/scripts/base/protocols/quic/decrypt-crash.zeek b/testing/btest/scripts/base/protocols/quic/decrypt-crash.zeek new file mode 100644 index 0000000000..4b64b04dc4 --- /dev/null +++ b/testing/btest/scripts/base/protocols/quic/decrypt-crash.zeek @@ -0,0 +1,8 @@ +# @TEST-DOC: Trace produced by OSS-Fuzz triggered a crash due to using a too small local buffer for decryption. + +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -Cr $TRACES/quic/383379789-decrypt-crash.pcap base/protocols/quic %INPUT +# @TEST-EXEC: zeek-cut -m ts uid proto history service < conn.log > conn.log.cut +# @TEST-EXEC: zeek-cut -m ts uid cause analyzer_kind analyzer_name failure_reason < analyzer.log > analyzer.log.cut +# @TEST-EXEC: btest-diff conn.log.cut +# @TEST-EXEC: TEST_DIFF_CANONIFIER='sed -E "s/\((.+)\.spicy:[0-9]+:[0-9]+(-[0-9]+:[0-9]+)?\)/(\1.spicy:)/g" | $SCRIPTS/diff-remove-abspath' btest-diff analyzer.log.cut