From 17a3f72e852cb2c804eac64040d6bef3b2f8d40e Mon Sep 17 00:00:00 2001 From: ulfvonbelow Date: Sun, 29 Jan 2023 05:15:30 -0600 Subject: [PATCH] UTIL: fix one-byte buffer over-reads. GNUNET_CRYPTO_hash_from_string2 uses enclen as the length of its buffer that it passes to GNUNET_STRINGS_utf8_toupper, but GNUNET_STRINGS_utf8_toupper adds a null terminator, so it should be enclen+1. GNUNET_CRYPTO_crc16_step reads 1 byte past the end of the buffer passed to it. It masks out that byte in computing the result, but it's still technically an overread and could in extremely-rare circumstances cause a segmentation or access fault. It also upsets sanitizers, preventing other bugs from being found. --- src/util/crypto_crc.c | 2 +- src/util/crypto_hash.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/util/crypto_crc.c b/src/util/crypto_crc.c index 9328f2b84..f93b5b0b3 100644 --- a/src/util/crypto_crc.c +++ b/src/util/crypto_crc.c @@ -114,7 +114,7 @@ GNUNET_CRYPTO_crc16_step (uint32_t sum, const void *buf, size_t len) for (; len >= 2; len -= 2) sum += *(hdr++); if (len == 1) - sum += (*hdr) & ntohs (0xFF00); + sum += ntohs(*((uint8_t *)hdr) << 8); return sum; } diff --git a/src/util/crypto_hash.c b/src/util/crypto_hash.c index e45cb42e0..95c5c3480 100644 --- a/src/util/crypto_hash.c +++ b/src/util/crypto_hash.c @@ -73,7 +73,7 @@ GNUNET_CRYPTO_hash_from_string2 (const char *enc, size_t enclen, struct GNUNET_HashCode *result) { - char upper_enc[enclen]; + char upper_enc[enclen+1]; char *up_ptr = upper_enc; if (GNUNET_OK != GNUNET_STRINGS_utf8_toupper (enc, up_ptr)) -- 2.38.1