View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0002611 | GNUnet | namestore service | public | 2012-11-05 09:24 | 2012-11-05 18:33 |
| Reporter | Matthias Wachs | Assigned To | Christian Grothoff | ||
| Priority | high | Severity | minor | Reproducibility | have not tried |
| Status | closed | Resolution | no change required | ||
| Product Version | Git master | ||||
| Target Version | 0.9.4 | Fixed in Version | 0.9.4 | ||
| Summary | 0002611: use of uninitialized memory in GNS namestore block plugin signature verification | ||||
| Description | ==37780== Memcheck, a memory error detector ==37780== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al. ==37780== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info ==37780== Command: /home/grothoff/lib/gnunet/libexec/gnunet-service-dht -c /tmp/test-gns-simple-mx-lookupop9ygm/0/config ==37780== Parent PID: 37775 ==37780== ==37780== Conditional jump or move depends on uninitialised value(s) ==37780== at 0x66F6FC1: do_get_buffer (mpicoder.c:273) ==37780== by 0x66F794C: _gcry_mpi_print (mpicoder.c:549) ==37780== by 0x66B1C12: vsexp_sscan (sexp.c:1300) ==37780== by 0x66B2FB9: _gcry_sexp_vbuild (sexp.c:1608) ==37780== by 0x66AD0F1: gcry_sexp_build (visibility.c:115) ==37780== by 0x60A8189: GNUNET_CRYPTO_rsa_verify (crypto_rsa.c:1330) ==37780== by 0x87734DE: GNUNET_NAMESTORE_verify_signature (namestore_api.c:1132) ==37780== by 0x8369631: block_plugin_gns_evaluate (plugin_block_gns.c:176) ==37780== by 0x5C6C057: GNUNET_BLOCK_evaluate (block.c:217) ==37780== by 0x4072A2: datacache_get_iterator (gnunet-service-dht_datacache.c:192) ==37780== by 0x8F882E9: sqlite_plugin_get (plugin_datacache_sqlite.c:263) ==37780== by 0x5E6FE53: GNUNET_DATACACHE_get (datacache.c:290) ==37780== ==37780== Conditional jump or move depends on uninitialised value(s) ==37780== at 0x66F6FC1: do_get_buffer (mpicoder.c:273) ==37780== by 0x66F794C: _gcry_mpi_print (mpicoder.c:549) ==37780== by 0x66B1CBC: vsexp_sscan (sexp.c:1327) ==37780== by 0x66B2FB9: _gcry_sexp_vbuild (sexp.c:1608) ==37780== by 0x66AD0F1: gcry_sexp_build (visibility.c:115) ==37780== by 0x60A8189: GNUNET_CRYPTO_rsa_verify (crypto_rsa.c:1330) ==37780== by 0x87734DE: GNUNET_NAMESTORE_verify_signature (namestore_api.c:1132) ==37780== by 0x8369631: block_plugin_gns_evaluate (plugin_block_gns.c:176) ==37780== by 0x5C6C057: GNUNET_BLOCK_evaluate (block.c:217) ==37780== by 0x4072A2: datacache_get_iterator (gnunet-service-dht_datacache.c:192) ==37780== by 0x8F882E9: sqlite_plugin_get (plugin_datacache_sqlite.c:263) ==37780== by 0x5E6FE53: GNUNET_DATACACHE_get (datacache.c:290) ==37780== ==37780== ==37780== HEAP SUMMARY: ==37780== in use at exit: 4,930 bytes in 48 blocks ==37780== total heap usage: 4,062 allocs, 4,014 frees, 889,827 bytes allocated ==37780== ==37780== LEAK SUMMARY: ==37780== definitely lost: 0 bytes in 0 blocks ==37780== indirectly lost: 0 bytes in 0 blocks ==37780== possibly lost: 0 bytes in 0 blocks ==37780== still reachable: 4,930 bytes in 48 blocks ==37780== suppressed: 0 bytes in 0 blocks ==37780== Reachable blocks (those to which a pointer was found) are not shown. ==37780== To see them, rerun with: --leak-check=full --show-reachable=yes ==37780== ==37780== For counts of detected and suppressed errors, rerun with: -v ==37780== Use --track-origins=yes to see where uninitialised values come from ==37780== ERROR SUMMARY: 4 errors from 2 contexts (suppressed: 0 from 0) | ||||
| Tags | No tags attached. | ||||
|
|
When checking the code: only uninitialized value can be "sig" gcry_sexp_t data; gcry_sexp_t sigdata; size_t size; gcry_mpi_t val; gcry_sexp_t psexp; size_t erroff; size = sizeof (struct GNUNET_CRYPTO_RsaSignature); GNUNET_assert (0 == gcry_mpi_scan (&val, GCRYMPI_FMT_USG, (const unsigned char *) sig, size, &size)); GNUNET_assert (0 == gcry_sexp_build (&sigdata, &erroff, "(sig-val(rsa(s %m)))", val)); |
|
|
271 /* This is sub-optimal but we need to do the shift operation because 272 the caller has to free the returned buffer. */ 273 for (p=buffer; !*p && *nbytes; p++, --*nbytes) 274 ; Should probably be 273 for (p=buffer; *nbytes && !*p; p++, --*nbytes) to avoid reading one past 'buffer+nbytes'. But that's a libgcrypt issue for WK, not a real issue for us. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2012-11-05 09:24 | Matthias Wachs | New Issue | |
| 2012-11-05 09:24 | Matthias Wachs | Status | new => assigned |
| 2012-11-05 09:24 | Matthias Wachs | Assigned To | => Matthias Wachs |
| 2012-11-05 09:41 | Christian Grothoff | Summary | Memory leak in namestore-api => use of uninitialized memory in GNS namestore block plugin signature verification |
| 2012-11-05 09:43 | Matthias Wachs | Note Added: 0006512 | |
| 2012-11-05 11:54 | Christian Grothoff | Priority | normal => high |
| 2012-11-05 15:30 | Christian Grothoff | Assigned To | Matthias Wachs => Christian Grothoff |
| 2012-11-05 15:38 | Christian Grothoff | Note Added: 0006525 | |
| 2012-11-05 15:38 | Christian Grothoff | Status | assigned => feedback |
| 2012-11-05 15:38 | Christian Grothoff | Target Version | 0.9.4 => |
| 2012-11-05 15:40 | Christian Grothoff | Status | feedback => resolved |
| 2012-11-05 15:40 | Christian Grothoff | Fixed in Version | => 0.9.4 |
| 2012-11-05 15:40 | Christian Grothoff | Resolution | open => no change required |
| 2012-11-05 15:40 | Christian Grothoff | Target Version | => 0.9.4 |
| 2012-11-05 18:33 | Christian Grothoff | Status | resolved => closed |
| 2013-10-02 13:56 | Christian Grothoff | Category | namestore => namestore service |
