View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update | 
|---|---|---|---|---|---|
| 0006147 | Taler | exchange | public | 2020-04-02 12:30 | 2021-09-02 18:14 | 
| Reporter | fefe | Assigned To | Christian Grothoff | ||
| Priority | normal | Severity | trivial | Reproducibility | N/A | 
| Status | closed | Resolution | fixed | ||
| Product Version | 0.7.0 | ||||
| Target Version | 0.7.1 | Fixed in Version | 0.7.1 | ||
| Summary | 0006147: buffer too small in TALER_amount2s | ||||
| Description | TALER_amount2s prints a monetary amount into a string buffer, including the value itself, an optional fraction part, and the name of the currency. The buffer size is large enough to handle 32-bit values, but we are actually printing 64-bit values. It should be increased. | ||||
| Steps To Reproduce | 624 const char * 625 TALER_amount2s (const struct TALER_Amount *amount) 626 { 627 /* 12 is sufficient for a uint32_t value in decimal; 3 is for ":.\0" */ 628 static GNUNET_THREAD_LOCAL char result[TALER_AMOUNT_FRAC_LEN 629 + TALER_CURRENCY_LEN + 3 + 12]; We are not printing a uint32_t, we are printing a 64-bit value. 639 char tail[TALER_AMOUNT_FRAC_LEN + 1]; 640 641 amount_to_tail (&norm, 642 tail); 643 GNUNET_snprintf (result, 644 sizeof (result), 645 "%s:%llu.%s", 646 norm.currency, 647 (unsigned long long) norm.value, 648 tail); The printing itself will abort if the value does not fit into the buffer, so no buffer overflow vulnerability here. However, a utility function like this should be able to print the full value range. | ||||
| Tags | No tags attached. | ||||
|  | Fixed as suggested. Albeit, amount values are actually 53-bit (not 64-bit) due to limitations in JavaScript. I've anyway made the buffer +12 bytes, can't hurt, just in case. | 
|  | Fix committed to master branch. | 
| Date Modified | Username | Field | Change | 
|---|---|---|---|
| 2020-04-02 12:30 | fefe | New Issue | |
| 2020-04-02 12:30 | fefe | Status | new => assigned | 
| 2020-04-02 12:30 | fefe | Assigned To | => Christian Grothoff | 
| 2020-04-02 13:52 | Christian Grothoff | Status | assigned => resolved | 
| 2020-04-02 13:52 | Christian Grothoff | Resolution | open => fixed | 
| 2020-04-02 13:52 | Christian Grothoff | Fixed in Version | => 0.7.1 | 
| 2020-04-02 13:52 | Christian Grothoff | Note Added: 0015490 | |
| 2020-04-02 13:52 | Christian Grothoff | Target Version | => 0.7.1 | 
| 2021-08-24 16:23 | Christian Grothoff | Status | resolved => closed | 
| 2021-09-02 18:13 | Christian Grothoff | Changeset attached | => Taler-exchange master a039926b | 
| 2021-09-02 18:14 | Christian Grothoff | Note Added: 0018268 | 
