View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006154 | GNUnet | ARM service | public | 2020-04-03 12:22 | 2020-08-14 12:04 |
| Reporter | fefe | Assigned To | Christian Grothoff | ||
| Priority | normal | Severity | minor | Reproducibility | N/A |
| Status | closed | Resolution | fixed | ||
| Product Version | Git master | ||||
| Target Version | 0.13.0 | ||||
| Summary | 0006154: Integer overflow in GNUNET_STRINGS_buffer_fill | ||||
| Description | 64 size_t 65 GNUNET_STRINGS_buffer_fill (char *buffer, size_t size, unsigned int count, ...) 66 { 67 size_t needed; 68 size_t slen; 69 const char *s; 70 va_list ap; 71 72 needed = 0; 73 va_start (ap, count); 74 while (count > 0) 75 { 76 s = va_arg (ap, const char *); 77 78 slen = strlen (s) + 1; 79 if (buffer != NULL) 80 { 81 GNUNET_assert (needed + slen <= size); The arithmetic can overflow here. That could only happen if the caller is trying to trick you, so it's a defense in depth thing. But maybe the caller was attacked and the attacker gained enough control to trick this function and not to gain code execution immediately. In that case, this bug would give him code execution. | ||||
| Steps To Reproduce | Recommendation: GNUNET_assert(slen <= size - needed); | ||||
| Tags | No tags attached. | ||||
|
|
Fixed in a3d4063b7..1b5dfc396 (together with a related issue: check only applied if buffer is non-NULL). Plus scope minizations. |
|
|
Closing as resolved since at least 0.13.2 |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2020-04-03 12:22 | fefe | New Issue | |
| 2020-04-03 12:22 | fefe | Status | new => assigned |
| 2020-04-03 12:22 | fefe | Assigned To | => Christian Grothoff |
| 2020-04-03 14:24 | Christian Grothoff | Note Added: 0015500 | |
| 2020-04-03 14:24 | Christian Grothoff | Project | Taler => GNUnet |
| 2020-04-03 14:24 | Christian Grothoff | Category | exchange => General |
| 2020-04-03 14:25 | Christian Grothoff | Status | assigned => resolved |
| 2020-04-03 14:25 | Christian Grothoff | Resolution | open => fixed |
| 2020-04-03 14:25 | Christian Grothoff | Fixed in Version | => 0.12.3 |
| 2020-04-03 14:25 | Christian Grothoff | Category | General => ARM service |
| 2020-04-03 14:25 | Christian Grothoff | Product Version | 0.7.0 => Git master |
| 2020-04-03 14:25 | Christian Grothoff | Target Version | => 0.12.3 |
| 2020-04-22 17:27 | schanzen | Target Version | 0.12.3 => 0.13.0 |
| 2020-06-01 00:52 |
|
Issue cloned: 0006356 | |
| 2020-08-14 12:04 | schanzen | Note Added: 0016621 | |
| 2020-08-14 12:04 | schanzen | Status | resolved => closed |
