View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0002743 | GNUnet | file-sharing service | public | 2013-01-23 20:31 | 2013-02-05 21:42 |
Reporter | LRN | Assigned To | Christian Grothoff | ||
Priority | low | Severity | tweak | Reproducibility | N/A |
Status | closed | Resolution | fixed | ||
Product Version | Git master | ||||
Target Version | 0.9.5a | Fixed in Version | 0.9.5a | ||
Summary | 0002743: Possible buffer overflow in GNUNET_FS_publish_sks | ||||
Description | GNUNET_FS_publish_sks() does this:slen = strlen (uris) + 1; idlen = strlen (identifier); if (NULL != update) nidlen = strlen (update) + 1; else nidlen = 1; mdsize = GNUNET_CONTAINER_meta_data_get_serialized_size (mmeta); size = sizeof (struct SBlock) + slen + nidlen + mdsize; if (size > MAX_SBLOCK_SIZE) { size = MAX_SBLOCK_SIZE; mdsize = size - (sizeof (struct SBlock) + slen + nidlen); } sb = GNUNET_malloc (sizeof (struct SBlock) + size); dest = (char *) &sb[1]; if (update != NULL) memcpy (dest, update, nidlen); else memset (dest, 0, 1); If size > MAX_SBLOCK_SIZE, mdsize is recalculated to occupy the space it can get after update identifier is stored in the block. The code then allocates the block, then copies update identifier into it. The code never checks that update identifier fits into the block. Should we put a limit on update identifier's length? Should we allow an SBlock with 0-length metadata (the rest is occupied by the update identifier) to be published? | ||||
Tags | No tags attached. | ||||
|
No, we should not limit identifiers IMO, but we do need to check for the buffer overflow (even though fortunately I see no way to exploit this, as the user can only provoke this on his own system, within processes he starts himself). Fixed in SVN 25874. |
Date Modified | Username | Field | Change |
---|---|---|---|
2013-01-23 20:31 | LRN | New Issue | |
2013-01-24 11:52 | Christian Grothoff | Assigned To | => Christian Grothoff |
2013-01-24 11:52 | Christian Grothoff | Status | new => assigned |
2013-01-24 11:53 | Christian Grothoff | Note Added: 0006792 | |
2013-01-24 11:53 | Christian Grothoff | Status | assigned => resolved |
2013-01-24 11:53 | Christian Grothoff | Fixed in Version | => 0.10.0 |
2013-01-24 11:53 | Christian Grothoff | Resolution | open => fixed |
2013-01-24 11:53 | Christian Grothoff | Product Version | => Git master |
2013-01-24 11:53 | Christian Grothoff | Target Version | => 0.10.0 |
2013-02-05 21:40 | Christian Grothoff | Fixed in Version | 0.10.0 => 0.9.5a |
2013-02-05 21:40 | Christian Grothoff | Target Version | 0.10.0 => 0.9.5a |
2013-02-05 21:42 | Christian Grothoff | Status | resolved => closed |