View Issue Details

IDProjectCategoryView StatusLast Update
0005744Talertwisterpublic2019-06-18 17:20
ReporterChristian GrothoffAssigned ToMarcello Stanisci 
PrioritynormalSeveritymajorReproducibilityN/A
Status resolvedResolutionfixed 
Platformi7OSDebian GNU/LinuxOS Versionsqueeze
Product VersionSVN HEAD 
Target Version0.6Fixed in Version0.6 
Summary0005744: TWISTER_PATH_LENGTH / TWISTER_VALUE_LENGTH should not exist, and is currently not properly enforced either
DescriptionInstead of using that constant, we should
0) Actually fail hard if the user gives us a value/path that exceeds the maximum, instead of right now strcpy()ing beyond allocated memory (!!!)
1) Use variable-size IPC messages (see GNUNET_MQ_msg_extra) where the path/value are appended (with 0-terminator) at the end of the message
   and not declared using a fixed-size 100-bytes in the message; for operations that include value and path, this means that the
   main message struct should then contain the strlen() of the two strings that follow (as uint16_t in network byte order).
2) adjust case (0) to limit to UINT16_MAX - sizeof(HDR).

For an example, see `struct GNUNET_STATISTICS_SetMessage` (gnunet/src/statistics/statistics.h). That one doesn't include the strlen()s in the message and instead we search for the two 0-terminators, but these days I think explicit strlen *and* 0-terminators is faster & generally safer.
TagsNo tags attached.

Activities

Christian Grothoff

2019-06-03 01:00

manager   ~0014499

This relates to Coverity bugs CIT 198809, 198811, 198813, 198818 and 198825. It must be fixed before the external security audit.

Marcello Stanisci

2019-06-13 19:13

manager   ~0014546

not sure if it is a bug, but here ([1]) the size is not (counter-)checked as it happens before the sending of the message (here: [2])

[1] https://git.gnunet.org/gnunet.git/tree/src/statistics/gnunet-service-statistics.c#n621
[2] https://git.gnunet.org/gnunet.git/tree/src/statistics/gnunet-service-statistics.c#n290

Christian Grothoff

2019-06-13 19:49

manager   ~0014549

[1] is not a bug, as (1) we know the size is < 64k because of the type being uint16_t, and it (2) must be > sizeof(*msg) because that's already checked by the message demultiplexer before it calls our handler (API invariant).

Marcello Stanisci

2019-06-15 00:31

manager   ~0014551

Implemented here: 6574f81dc505637bb671..

Feel free to have a second look!

Christian Grothoff

2019-06-15 15:42

manager   ~0014556

Looks largely fine. One thing we could improve:

 GNUNET_assert
    (stralloc + sizeof (struct TWISTER_FlipPath) < UINT16_MAX);

in twister_api.c is almost the right check (correct would be: <=). Also, we technically again shouldn't assert here, but simply "GNUNET_break(0); return NULL" if the API is called with a string that is too long.

Christian Grothoff

2019-06-15 15:46

manager   ~0014557

I've fixed this in 6574f81..ad58257

Issue History

Date Modified Username Field Change
2019-06-03 00:59 Christian Grothoff New Issue
2019-06-03 00:59 Christian Grothoff Status new => assigned
2019-06-03 00:59 Christian Grothoff Assigned To => Marcello Stanisci
2019-06-03 01:00 Christian Grothoff Note Added: 0014499
2019-06-11 22:20 Marcello Stanisci Summary TWISTER_PATH_LENGTH / TWISTER_VALUE_LENGTHshould not exist, and is currently not properly enforced either => TWISTER_PATH_LENGTH / TWISTER_VALUE_LENGTH should not exist, and is currently not properly enforced either
2019-06-13 19:13 Marcello Stanisci Note Added: 0014546
2019-06-13 19:49 Christian Grothoff Note Added: 0014549
2019-06-15 00:31 Marcello Stanisci Note Added: 0014551
2019-06-15 00:31 Marcello Stanisci Status assigned => resolved
2019-06-15 00:31 Marcello Stanisci Resolution open => fixed
2019-06-15 15:40 Christian Grothoff Fixed in Version => 0.7
2019-06-15 15:42 Christian Grothoff Note Added: 0014556
2019-06-15 15:46 Christian Grothoff Note Added: 0014557
2019-06-18 17:20 Christian Grothoff Fixed in Version 0.7 => 0.6
2019-06-18 17:20 Christian Grothoff Target Version 0.7 => 0.6