-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: check for valid iteration length in pbkdf2 #3173
Conversation
cc @nodejs/crypto |
src/node_crypto.cc
Outdated
iter = args[2]->Int32Value(); | ||
if (iter < 0) { | ||
iter = args[2]->NumberValue(); | ||
if (iter < 0 || isnan(iter) || isinf(iter)) { | ||
type_error = "Bad iterations"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suppose the error could be more explanatory
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would bump this to a semver-major. let's do that in either a difference commit or PR so it can be backported.
Oh hey I'd given up on this, thanks for reviving! I'll check your suggestions and get back :) |
7da4fd4
to
c7066fb
Compare
ping @johannhof :-) |
An iteration length of NaN or Infinity is currently silently coerced to 0, which is more or less undefined behaviour. This commit makes NaN and Infinity invalid iteration parameter values. We're doing the same checks for other parameters already, so it would make sense to be consistent here.
3701251
to
3f25cfd
Compare
@nodejs/crypto sorry for the wait, ready for another review |
huh, can I not mention teams? then ping @jasnell @indutny @thefourtheye @trevnorris :) |
@johannhof ... Thanks! will take a look a bit later today! |
I wondering if it would be better for this check to be done in the JS instead. @nodejs/crypto |
c133999
to
83c7a88
Compare
@johannhof ... is this still something you'd like to pursue? |
Closing due to lack of forward progress. Can reopen and revisit if necessary |
An iteration length of NaN or Infinity is currently silently coerced to
0, which is more or less undefined behaviour. This commit makes NaN and
Infinity invalid iteration parameter values.
We're doing the same checks for other parameters already, so it would
make sense to be consistent here.