View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006184 | GNUnet | GNS | public | 2020-04-15 13:41 | 2020-07-09 09:17 |
| Reporter | fefe | Assigned To | Christian Grothoff | ||
| Priority | normal | Severity | minor | Reproducibility | N/A |
| Status | closed | Resolution | fixed | ||
| Product Version | 0.12.1 | ||||
| Target Version | 0.13.0 | Fixed in Version | 0.13.0 | ||
| Summary | 0006184: buffer overflow in signal_socks_failure and signal_socks_success | ||||
| Description | I got here by grepping for memset. :-) The code pattern is this: 3015 s_resp = (struct Socks5ServerResponseMessage *) &s5r->wbuf[s5r->wbuf_len]; And then we just write to s_resp. wbuf_len might already be toward the end of the buffer! Now the argument could be made that these functions are static and thus can't be called from elsewhere and thus can rely on the caller to do the right thing. Still, this kind of code is called a buffer overflow. Never simply write to a buffer, especially with an offset, unless you verified your write fits in the buffer bounds. | ||||
| Tags | No tags attached. | ||||
|
|
Actually, I doubt we ever call this where wbuf_len != 0. But, we should GNUNET_break() on that assumption, and GNUNET_assert() on the buffer size being adequate. Fixed in 7bcd5338f..b7be5b9f5. |
|
|
0.13.0 released |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2020-04-15 13:41 | fefe | New Issue | |
| 2020-04-15 20:32 | Christian Grothoff | Note Added: 0015657 | |
| 2020-04-15 20:32 | Christian Grothoff | Assigned To | => Christian Grothoff |
| 2020-04-15 20:32 | Christian Grothoff | Status | new => resolved |
| 2020-04-15 20:32 | Christian Grothoff | Resolution | open => fixed |
| 2020-04-15 20:32 | Christian Grothoff | Fixed in Version | => 0.12.2 |
| 2020-04-15 20:32 | Christian Grothoff | Target Version | => 0.12.2 |
| 2020-04-23 10:45 | schanzen | Fixed in Version | 0.12.2 => 0.13.0 |
| 2020-04-23 10:47 | schanzen | Target Version | 0.12.2 => 0.13.0 |
| 2020-06-01 00:49 |
|
Issue cloned: 0006314 | |
| 2020-06-01 00:52 |
|
Issue cloned: 0006346 | |
| 2020-07-09 09:17 | schanzen | Note Added: 0016427 | |
| 2020-07-09 09:17 | schanzen | Status | resolved => closed |
