View Issue Details

IDProjectCategoryView StatusLast Update
0006155GNUnetutil librarypublic2020-07-09 09:17
Reporterfefe Assigned ToChristian Grothoff  
PrioritynormalSeverityminorReproducibilityN/A
Status closedResolutionfixed 
Product VersionGit master 
Target Version0.13.0Fixed in Version0.13.0 
Summary0006155: Integer overflow in GNUNET_STRINGS_pp2s
Description  99 char *
 100 GNUNET_STRINGS_pp2s (const struct GNUNET_PeerIdentity *pids,
 101 unsigned int num_pids)
 102 {
 103 char *buf;
 104 size_t off;
 105 size_t plen = num_pids * 5 + 1;
 106
 107 off = 0;
 108 buf = GNUNET_malloc (plen);

The arithmetic on line 105 can overflow. The integer promotion from 32-bit int to 64-bit size_t will only happen at the assignment, after the multiplication has already overflown.
TagsNo tags attached.

Activities

Christian Grothoff

2020-04-03 18:50

manager   ~0015511

Ok, so you are doing an audit of libgnunetutil now. Because that code I am 100% sure is NOT reachable for Taler ;-).

Christian Grothoff

2020-04-03 18:50

manager   ~0015512

Fixed in bc01117ce..6fd24eef2. Let me know if giving you Git commit on gnunet.git would be more productive for these kinds of bugs.

schanzen

2020-07-09 09:17

manager   ~0016432

0.13.0 released

Issue History

Date Modified Username Field Change
2020-04-03 12:25 fefe New Issue
2020-04-03 18:50 Christian Grothoff Note Added: 0015511
2020-04-03 18:50 Christian Grothoff Note Added: 0015512
2020-04-03 18:51 Christian Grothoff Assigned To => Christian Grothoff
2020-04-03 18:51 Christian Grothoff Status new => resolved
2020-04-03 18:51 Christian Grothoff Resolution open => fixed
2020-04-03 18:51 Christian Grothoff Fixed in Version => 0.12.2
2020-04-03 18:51 Christian Grothoff Target Version => 0.12.2
2020-04-23 10:45 schanzen Fixed in Version 0.12.2 => 0.13.0
2020-04-23 10:47 schanzen Target Version 0.12.2 => 0.13.0
2020-06-01 00:49 Adminknox Issue cloned: 0006320
2020-06-01 00:52 Adminknox Issue cloned: 0006352
2020-07-09 09:17 schanzen Note Added: 0016432
2020-07-09 09:17 schanzen Status resolved => closed