From 3d2dc0f8e5fae6d5c08e7355beae19e9bb0db99b Mon Sep 17 00:00:00 2001
From: Paul Bakker <p.j.bakker@polarssl.org>
Date: Wed, 27 Feb 2013 14:52:37 +0100
Subject: [PATCH] Corrected GCM counter incrementation to use only 32-bits
 instead of 128-bits

Using 32-bits has the possibility to overwrite the IV in the first 12
bytes of the Y variable.

Found by Yawning Angel
---
 ChangeLog     | 2 ++
 library/gcm.c | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 75989bb91..a5fc141a6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,8 @@ PolarSSL ChangeLog
 = Master
 Bugfix
    * Fixed memory leak in ssl_free() and ssl_reset() for active session
+   * Corrected GCM counter incrementation to use only 32-bits instead of
+     128-bits (found by Yawning Angel)
 
 Security
    * Removed further timing differences during SSL message decryption in
diff --git a/library/gcm.c b/library/gcm.c
index c91598cd2..68b6611e5 100644
--- a/library/gcm.c
+++ b/library/gcm.c
@@ -263,7 +263,7 @@ int gcm_crypt_and_tag( gcm_context *ctx,
     {
         use_len = ( length < 16 ) ? length : 16;
 
-        for( i = 16; i > 0; i-- )
+        for( i = 16; i > 12; i-- )
             if( ++y[i - 1] != 0 )
                 break;