View Issue Details

IDProjectCategoryView StatusLast Update
0006184GNUnetGNSpublic2020-07-09 09:17
Reporterfefe Assigned ToChristian Grothoff  
PrioritynormalSeverityminorReproducibilityN/A
Status closedResolutionfixed 
Product Version0.12.1 
Target Version0.13.0Fixed in Version0.13.0 
Summary0006184: buffer overflow in signal_socks_failure and signal_socks_success
DescriptionI got here by grepping for memset. :-)

The code pattern is this:

3015 s_resp = (struct Socks5ServerResponseMessage *) &s5r->wbuf[s5r->wbuf_len];

And then we just write to s_resp. wbuf_len might already be toward the end of the buffer!

Now the argument could be made that these functions are static and thus can't be called from elsewhere and thus can rely on the caller to do the right thing. Still, this kind of code is called a buffer overflow. Never simply write to a buffer, especially with an offset, unless you verified your write fits in the buffer bounds.
TagsNo tags attached.

Activities

Christian Grothoff

2020-04-15 20:32

manager   ~0015657

Actually, I doubt we ever call this where wbuf_len != 0. But, we should GNUNET_break() on that assumption, and GNUNET_assert() on the buffer size being adequate. Fixed in 7bcd5338f..b7be5b9f5.

schanzen

2020-07-09 09:17

manager   ~0016427

0.13.0 released

Issue History

Date Modified Username Field Change
2020-04-15 13:41 fefe New Issue
2020-04-15 20:32 Christian Grothoff Note Added: 0015657
2020-04-15 20:32 Christian Grothoff Assigned To => Christian Grothoff
2020-04-15 20:32 Christian Grothoff Status new => resolved
2020-04-15 20:32 Christian Grothoff Resolution open => fixed
2020-04-15 20:32 Christian Grothoff Fixed in Version => 0.12.2
2020-04-15 20:32 Christian Grothoff Target Version => 0.12.2
2020-04-23 10:45 schanzen Fixed in Version 0.12.2 => 0.13.0
2020-04-23 10:47 schanzen Target Version 0.12.2 => 0.13.0
2020-06-01 00:49 Adminknox Issue cloned: 0006314
2020-06-01 00:52 Adminknox Issue cloned: 0006346
2020-07-09 09:17 schanzen Note Added: 0016427
2020-07-09 09:17 schanzen Status resolved => closed