View Issue Details

Related ChangesetsJump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0006147Talerexchangepublic2020-04-02 12:302021-09-02 18:14
Reporterfefe Assigned ToChristian Grothoff  
PrioritynormalSeveritytrivialReproducibilityN/A
Status closedResolutionfixed 
Product Version0.7.0 
Target Version0.7.1Fixed in Version0.7.1 
Summary0006147: buffer too small in TALER_amount2s
DescriptionTALER_amount2s prints a monetary amount into a string buffer, including the value itself, an optional fraction part, and the name of the currency. The buffer size is large enough to handle 32-bit values, but we are actually printing 64-bit values. It should be increased.
Steps To Reproduce624 const char *
625 TALER_amount2s (const struct TALER_Amount *amount)
626 {
627 /* 12 is sufficient for a uint32_t value in decimal; 3 is for ":.\0" */
628 static GNUNET_THREAD_LOCAL char result[TALER_AMOUNT_FRAC_LEN
629 + TALER_CURRENCY_LEN + 3 + 12];

We are not printing a uint32_t, we are printing a 64-bit value.

639 char tail[TALER_AMOUNT_FRAC_LEN + 1];
640
641 amount_to_tail (&norm,
642 tail);
643 GNUNET_snprintf (result,
644 sizeof (result),
645 "%s:%llu.%s",
646 norm.currency,
647 (unsigned long long) norm.value,
648 tail);

The printing itself will abort if the value does not fit into the buffer, so no buffer overflow vulnerability here.
However, a utility function like this should be able to print the full value range.
TagsNo tags attached.

Activities

Christian Grothoff

2020-04-02 13:52

manager   ~0015490

Fixed as suggested. Albeit, amount values are actually 53-bit (not 64-bit) due to limitations in JavaScript. I've anyway made the buffer +12 bytes, can't hurt, just in case.

Christian Grothoff

2021-09-02 18:14

manager   ~0018268

Fix committed to master branch.

Related Changesets

exchange: master a039926b

2020-04-02 15:47

Christian Grothoff


Details Diff		 fix 0006147 Affected Issues
0006147
mod - src/util/amount.c Diff File

Issue History

Date Modified Username Field Change
2020-04-02 12:30 fefe New Issue
2020-04-02 12:30 fefe Status new => assigned
2020-04-02 12:30 fefe Assigned To => Christian Grothoff
2020-04-02 13:52 Christian Grothoff Status assigned => resolved
2020-04-02 13:52 Christian Grothoff Resolution open => fixed
2020-04-02 13:52 Christian Grothoff Fixed in Version => 0.7.1
2020-04-02 13:52 Christian Grothoff Note Added: 0015490
2020-04-02 13:52 Christian Grothoff Target Version => 0.7.1
2021-08-24 16:23 Christian Grothoff Status resolved => closed
2021-09-02 18:13 Christian Grothoff Changeset attached => Taler-exchange master a039926b
2021-09-02 18:14 Christian Grothoff Note Added: 0018268