View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0005744 | Taler | twister | public | 2019-06-03 00:59 | 2019-12-20 19:12 |
Reporter | Christian Grothoff | Assigned To | Marcello Stanisci | ||
Priority | normal | Severity | major | Reproducibility | N/A |
Status | closed | Resolution | fixed | ||
Platform | i7 | OS | Debian GNU/Linux | OS Version | squeeze |
Product Version | git (master) | ||||
Target Version | 0.6 | Fixed in Version | 0.6 | ||
Summary | 0005744: TWISTER_PATH_LENGTH / TWISTER_VALUE_LENGTH should not exist, and is currently not properly enforced either | ||||
Description | Instead of using that constant, we should 0) Actually fail hard if the user gives us a value/path that exceeds the maximum, instead of right now strcpy()ing beyond allocated memory (!!!) 1) Use variable-size IPC messages (see GNUNET_MQ_msg_extra) where the path/value are appended (with 0-terminator) at the end of the message and not declared using a fixed-size 100-bytes in the message; for operations that include value and path, this means that the main message struct should then contain the strlen() of the two strings that follow (as uint16_t in network byte order). 2) adjust case (0) to limit to UINT16_MAX - sizeof(HDR). For an example, see `struct GNUNET_STATISTICS_SetMessage` (gnunet/src/statistics/statistics.h). That one doesn't include the strlen()s in the message and instead we search for the two 0-terminators, but these days I think explicit strlen *and* 0-terminators is faster & generally safer. | ||||
Tags | No tags attached. | ||||
|
This relates to Coverity bugs CIT 198809, 198811, 198813, 198818 and 198825. It must be fixed before the external security audit. |
|
not sure if it is a bug, but here ([1]) the size is not (counter-)checked as it happens before the sending of the message (here: [2]) [1] https://git.gnunet.org/gnunet.git/tree/src/statistics/gnunet-service-statistics.c#n621 [2] https://git.gnunet.org/gnunet.git/tree/src/statistics/gnunet-service-statistics.c#n290 |
|
[1] is not a bug, as (1) we know the size is < 64k because of the type being uint16_t, and it (2) must be > sizeof(*msg) because that's already checked by the message demultiplexer before it calls our handler (API invariant). |
|
Implemented here: 6574f81dc505637bb671.. Feel free to have a second look! |
|
Looks largely fine. One thing we could improve: GNUNET_assert (stralloc + sizeof (struct TWISTER_FlipPath) < UINT16_MAX); in twister_api.c is almost the right check (correct would be: <=). Also, we technically again shouldn't assert here, but simply "GNUNET_break(0); return NULL" if the API is called with a string that is too long. |
|
I've fixed this in 6574f81..ad58257 |
Date Modified | Username | Field | Change |
---|---|---|---|
2019-06-03 00:59 | Christian Grothoff | New Issue | |
2019-06-03 00:59 | Christian Grothoff | Status | new => assigned |
2019-06-03 00:59 | Christian Grothoff | Assigned To | => Marcello Stanisci |
2019-06-03 01:00 | Christian Grothoff | Note Added: 0014499 | |
2019-06-11 22:20 | Marcello Stanisci | Summary | TWISTER_PATH_LENGTH / TWISTER_VALUE_LENGTHshould not exist, and is currently not properly enforced either => TWISTER_PATH_LENGTH / TWISTER_VALUE_LENGTH should not exist, and is currently not properly enforced either |
2019-06-13 19:13 | Marcello Stanisci | Note Added: 0014546 | |
2019-06-13 19:49 | Christian Grothoff | Note Added: 0014549 | |
2019-06-15 00:31 | Marcello Stanisci | Note Added: 0014551 | |
2019-06-15 00:31 | Marcello Stanisci | Status | assigned => resolved |
2019-06-15 00:31 | Marcello Stanisci | Resolution | open => fixed |
2019-06-15 15:40 | Christian Grothoff | Fixed in Version | => 0.7.1 |
2019-06-15 15:42 | Christian Grothoff | Note Added: 0014556 | |
2019-06-15 15:46 | Christian Grothoff | Note Added: 0014557 | |
2019-06-18 17:20 | Christian Grothoff | Fixed in Version | 0.7.1 => 0.6 |
2019-06-18 17:20 | Christian Grothoff | Target Version | 0.7.1 => 0.6 |
2019-12-20 19:12 | Christian Grothoff | Status | resolved => closed |