View Issue Details

IDProjectCategoryView StatusLast Update
0006154GNUnetARM servicepublic2020-04-22 17:27
ReporterfefeAssigned ToChristian Grothoff 
PrioritynormalSeverityminorReproducibilityN/A
Status resolvedResolutionfixed 
Product VersionSVN HEAD 
Target Version0.13.0Fixed in Version 
Summary0006154: Integer overflow in GNUNET_STRINGS_buffer_fill
Description  64 size_t
  65 GNUNET_STRINGS_buffer_fill (char *buffer, size_t size, unsigned int count, ...)
  66 {
  67 size_t needed;
  68 size_t slen;
  69 const char *s;
  70 va_list ap;
  71
  72 needed = 0;
  73 va_start (ap, count);
  74 while (count > 0)
  75 {
  76 s = va_arg (ap, const char *);
  77
  78 slen = strlen (s) + 1;
  79 if (buffer != NULL)
  80 {
  81 GNUNET_assert (needed + slen <= size);

The arithmetic can overflow here. That could only happen if the caller is trying to trick you, so it's a defense in depth thing. But maybe the caller was attacked and the attacker gained enough control to trick this function and not to gain code execution immediately. In that case, this bug would give him code execution.
Steps To ReproduceRecommendation:

  GNUNET_assert(slen <= size - needed);
TagsNo tags attached.

Activities

Christian Grothoff

2020-04-03 14:24

manager   ~0015500

Fixed in a3d4063b7..1b5dfc396 (together with a related issue: check only applied if buffer is non-NULL). Plus scope minizations.

Issue History

Date Modified Username Field Change
2020-04-03 12:22 fefe New Issue
2020-04-03 12:22 fefe Status new => assigned
2020-04-03 12:22 fefe Assigned To => Christian Grothoff
2020-04-03 14:24 Christian Grothoff Note Added: 0015500
2020-04-03 14:24 Christian Grothoff Project Taler => GNUnet
2020-04-03 14:24 Christian Grothoff Category exchange => General
2020-04-03 14:25 Christian Grothoff Status assigned => resolved
2020-04-03 14:25 Christian Grothoff Resolution open => fixed
2020-04-03 14:25 Christian Grothoff Fixed in Version => 0.12.3
2020-04-03 14:25 Christian Grothoff Category General => ARM service
2020-04-03 14:25 Christian Grothoff Product Version 0.7.0 => SVN HEAD
2020-04-03 14:25 Christian Grothoff Target Version => 0.12.3
2020-04-22 17:27 schanzen Target Version 0.12.3 => 0.13.0