View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0006147 | Taler | exchange | public | 2020-04-02 12:30 | 2021-09-02 18:14 |
Reporter | fefe | Assigned To | Christian Grothoff | ||
Priority | normal | Severity | trivial | Reproducibility | N/A |
Status | closed | Resolution | fixed | ||
Product Version | 0.7.0 | ||||
Target Version | 0.7.1 | Fixed in Version | 0.7.1 | ||
Summary | 0006147: buffer too small in TALER_amount2s | ||||
Description | TALER_amount2s prints a monetary amount into a string buffer, including the value itself, an optional fraction part, and the name of the currency. The buffer size is large enough to handle 32-bit values, but we are actually printing 64-bit values. It should be increased. | ||||
Steps To Reproduce | 624 const char * 625 TALER_amount2s (const struct TALER_Amount *amount) 626 { 627 /* 12 is sufficient for a uint32_t value in decimal; 3 is for ":.\0" */ 628 static GNUNET_THREAD_LOCAL char result[TALER_AMOUNT_FRAC_LEN 629 + TALER_CURRENCY_LEN + 3 + 12]; We are not printing a uint32_t, we are printing a 64-bit value. 639 char tail[TALER_AMOUNT_FRAC_LEN + 1]; 640 641 amount_to_tail (&norm, 642 tail); 643 GNUNET_snprintf (result, 644 sizeof (result), 645 "%s:%llu.%s", 646 norm.currency, 647 (unsigned long long) norm.value, 648 tail); The printing itself will abort if the value does not fit into the buffer, so no buffer overflow vulnerability here. However, a utility function like this should be able to print the full value range. | ||||
Tags | No tags attached. | ||||
|
Fixed as suggested. Albeit, amount values are actually 53-bit (not 64-bit) due to limitations in JavaScript. I've anyway made the buffer +12 bytes, can't hurt, just in case. |
|
Fix committed to master branch. |
Date Modified | Username | Field | Change |
---|---|---|---|
2020-04-02 12:30 | fefe | New Issue | |
2020-04-02 12:30 | fefe | Status | new => assigned |
2020-04-02 12:30 | fefe | Assigned To | => Christian Grothoff |
2020-04-02 13:52 | Christian Grothoff | Status | assigned => resolved |
2020-04-02 13:52 | Christian Grothoff | Resolution | open => fixed |
2020-04-02 13:52 | Christian Grothoff | Fixed in Version | => 0.7.1 |
2020-04-02 13:52 | Christian Grothoff | Note Added: 0015490 | |
2020-04-02 13:52 | Christian Grothoff | Target Version | => 0.7.1 |
2021-08-24 16:23 | Christian Grothoff | Status | resolved => closed |
2021-09-02 18:13 | Christian Grothoff | Changeset attached | => Taler-exchange master a039926b |
2021-09-02 18:14 | Christian Grothoff | Note Added: 0018268 |