VeraCrypt
aboutsummaryrefslogtreecommitdiff
path: root/src/Driver
diff options
context:
space:
mode:
authorMounir IDRASSI <mounir.idrassi@idrix.fr>2014-08-31 23:56:37 +0200
committerMounir IDRASSI <mounir.idrassi@idrix.fr>2014-11-08 23:23:05 +0100
commit4fa4d6d22708231a51bdff93ef3220aa95b6fc80 (patch)
treee4ad7b2f67f98699c4964f1152120e49329ffb0d /src/Driver
parente0efb36f337be3e57e528addd714e10745da6d1f (diff)
downloadVeraCrypt-4fa4d6d22708231a51bdff93ef3220aa95b6fc80.tar.gz
VeraCrypt-4fa4d6d22708231a51bdff93ef3220aa95b6fc80.zip
Windows vulnerability fix: correct possible BSOD attack targeted towards GetWipePassCount() / WipeBuffer() found by the Open Crypto Audit Project.
Diffstat (limited to 'src/Driver')
-rw-r--r--src/Driver/DriveFilter.c20
1 files changed, 17 insertions, 3 deletions
diff --git a/src/Driver/DriveFilter.c b/src/Driver/DriveFilter.c
index 331b3720..26fed73d 100644
--- a/src/Driver/DriveFilter.c
+++ b/src/Driver/DriveFilter.c
@@ -1320,7 +1320,14 @@ static VOID SetupThreadProc (PVOID threadArg)
if (SetupRequest.WipeAlgorithm != TC_WIPE_NONE)
{
byte wipePass;
- for (wipePass = 1; wipePass <= GetWipePassCount (SetupRequest.WipeAlgorithm); ++wipePass)
+ int wipePassCount = GetWipePassCount (SetupRequest.WipeAlgorithm);
+ if (wipePassCount <= 0)
+ {
+ SetupResult = STATUS_INVALID_PARAMETER;
+ goto err;
+ }
+
+ for (wipePass = 1; wipePass <= wipePassCount; ++wipePass)
{
if (!WipeBuffer (SetupRequest.WipeAlgorithm, wipeRandChars, wipePass, wipeBuffer, setupBlockSize))
{
@@ -1692,7 +1699,7 @@ static VOID DecoySystemWipeThreadProc (PVOID threadArg)
byte *wipeBuffer = NULL;
byte *wipeRandBuffer = NULL;
byte wipeRandChars[TC_WIPE_RAND_CHAR_COUNT];
- int wipePass;
+ int wipePass, wipePassCount;
int ea = Extension->Queue.CryptoInfo->ea;
KIRQL irql;
@@ -1755,7 +1762,14 @@ static VOID DecoySystemWipeThreadProc (PVOID threadArg)
if (offset.QuadPart > Extension->ConfiguredEncryptedAreaEnd)
break;
- for (wipePass = 1; wipePass <= GetWipePassCount (WipeDecoyRequest.WipeAlgorithm); ++wipePass)
+ wipePassCount = GetWipePassCount (WipeDecoyRequest.WipeAlgorithm);
+ if (wipePassCount <= 0)
+ {
+ DecoySystemWipeResult = STATUS_INVALID_PARAMETER;
+ goto err;
+ }
+
+ for (wipePass = 1; wipePass <= wipePassCount; ++wipePass)
{
if (!WipeBuffer (WipeDecoyRequest.WipeAlgorithm, wipeRandChars, wipePass, wipeBuffer, wipeBlockSize))
{