rc4: Round up output buffer size.

valgrind indicated that RC4() writes beyond the end of the output buffer which
was was of the same size than the input buffer. Workaround this by rounding up
the output buffer size to a multiple of 8.

diff --git a/net.c b/net.c
index bc7d234bfa2ec01619d8bc698dfb2841053b0eca..88eb20e56eefe69328b9336ce8842b69fe8532d3 100644 (file)
--- a/net.c
+++ b/net.c
@@ -151,7 +151,8 @@ int send_bin_buffer(int fd, const char *buf, size_t len)
                cf = crypt_data_array[fd].send;
        if (cf) {
                void *private = crypt_data_array[fd].private_data;
-               unsigned char *outbuf = para_malloc(len);
+               /* RC4 may write more than len to the output buffer */
+               unsigned char *outbuf = para_malloc(ROUND_UP(len, 8));
                (*cf)(len, (unsigned char *)buf, outbuf, private);
                ret = sendall(fd, (char *)outbuf, &len);
                free(outbuf);

diff --git a/para.h b/para.h
index a4753d4b5f5afa4eedc9a982f15f33c2f175626d..5197360dc38c27cb21710806fba41662b0241c24 100644 (file)
--- a/para.h
+++ b/para.h
@@ -205,3 +205,6 @@ __printf_2_3 void para_log(int, const char*, ...);
                p = para_realloc(p, size); \
        } \
 }
+
+/* Round up x to a multiple of y */
+#define ROUND_UP(x, y) (((x) + (y - 1) / (y)) * (y))