View Issue Details

IDProjectCategoryView StatusLast Update
0006159GNUnetutil librarypublic2020-07-09 09:17
Reporterfefe Assigned ToChristian Grothoff  
PrioritynormalSeverityminorReproducibilityN/A
Status closedResolutionfixed 
Product VersionGit master 
Target Version0.13.0Fixed in Version0.13.0 
Summary0006159: Integer overflow in GNUNET_STRINGS_base64_encode
Description1865 opt = GNUNET_malloc (2 + (len * 4 / 3) + 8);

len is a size_t and caller-supplied. If the caller accidentally or maliciously calls this function with a very large len, then the multiplication will overflow.

Recommendation: have a sanity check on len first.
TagsNo tags attached.

Activities

fefe

2020-04-03 16:38

reporter   ~0015507

Similar issue a few lines down in GNUNET_STRINGS_base64_decode.

Christian Grothoff

2020-04-03 16:59

manager   ~0015508

Well, and here I was thinking libgnunetutil would be out-of-scope and we'd first audit that code ourselves before having you face the horrors. Well, happy to fix those now. ;-)

Christian Grothoff

2020-04-03 17:08

manager   ~0015509

Should be fixed in 0541fd194..55bff52a2

schanzen

2020-07-09 09:17

manager   ~0016428

0.13.0 released

Issue History

Date Modified Username Field Change
2020-04-03 16:37 fefe New Issue
2020-04-03 16:38 fefe Note Added: 0015507
2020-04-03 16:57 Christian Grothoff Assigned To => Christian Grothoff
2020-04-03 16:57 Christian Grothoff Status new => assigned
2020-04-03 16:59 Christian Grothoff Note Added: 0015508
2020-04-03 17:08 Christian Grothoff Note Added: 0015509
2020-04-03 17:08 Christian Grothoff Fixed in Version => 0.12.2
2020-04-03 17:08 Christian Grothoff Target Version => 0.12.2
2020-04-03 17:08 Christian Grothoff Status assigned => resolved
2020-04-03 17:08 Christian Grothoff Resolution open => fixed
2020-04-23 10:45 schanzen Fixed in Version 0.12.2 => 0.13.0
2020-04-23 10:47 schanzen Target Version 0.12.2 => 0.13.0
2020-06-01 00:49 Adminknox Issue cloned: 0006316
2020-06-01 00:52 Adminknox Issue cloned: 0006348
2020-07-09 09:17 schanzen Note Added: 0016428
2020-07-09 09:17 schanzen Status resolved => closed