View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0007641 | GNUnet | namestore service | public | 2023-01-29 23:39 | 2024-02-29 22:46 |
| Reporter | ulfvonbelow | Assigned To | schanzen | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | Git master | ||||
| Target Version | 0.19.4 | Fixed in Version | 0.19.4 | ||
| Summary | 0007641: overread in handle_record_store in src/namestore/gnunet-service-namestore.c | ||||
| Description | handle_record_store makes a buffer to copy the recordset into that is too large by sizeof(key). It then copies that buffer's length of bytes from the recordset, which consequently reads past the end of the message containing the recordset. | ||||
| Steps To Reproduce | ./configure --enable-sanitizer make make install make check | ||||
| Additional Information | Patch attached. | ||||
| Tags | patch | ||||
| Attached Files | 0001-NAMESTORE-fix-overread-in-handle_record_store.patch (2,952 bytes)
From 38f0b0364dec820974e81871da5ec7dcccdbe842 Mon Sep 17 00:00:00 2001
From: ulfvonbelow <strilen@tilde.club>
Date: Sun, 29 Jan 2023 06:38:07 -0600
Subject: [PATCH] NAMESTORE: fix overread in handle_record_store.
A RecordStoreMessage looks like this:
| header | key | recordset |
A StoreActivity's rs field is supposed to point to the record
set. handle_record_store tries to make a copy of this record set, but it does
it by allocating enough memory for both key and recordset, then copying
sizeof(key) + sizeof(recordset) bytes into it *starting from recordset*. This
causes memcpy to read past the end of recordset by sizeof(key) bytes. There's
still enough room in the allocated region for it, though, so it's only an
overread.
---
src/namestore/gnunet-service-namestore.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/src/namestore/gnunet-service-namestore.c b/src/namestore/gnunet-service-namestore.c
index d25287c9f..ed06b1dc5 100644
--- a/src/namestore/gnunet-service-namestore.c
+++ b/src/namestore/gnunet-service-namestore.c
@@ -1735,11 +1735,19 @@ handle_record_store (void *cls, const struct RecordStoreMessage *rp_msg)
ssize_t read;
size_t key_len;
size_t kb_read;
+ size_t rp_msg_len;
+ size_t rs_len;
+ size_t rs_off;
+ size_t body_len;
struct StoreActivity *sa;
struct RecordSet *rs;
enum GNUNET_ErrorCode res;
key_len = ntohs (rp_msg->key_len);
+ rp_msg_len = ntohs (rp_msg->gns_header.header.size);
+ body_len = rp_msg_len - sizeof (*rp_msg);
+ rs_off = sizeof (*rp_msg) + key_len;
+ rs_len = rp_msg_len - rs_off;
if ((GNUNET_SYSERR ==
GNUNET_IDENTITY_read_private_key_from_buffer (&rp_msg[1],
key_len,
@@ -1756,7 +1764,7 @@ handle_record_store (void *cls, const struct RecordStoreMessage *rp_msg)
"Received NAMESTORE_RECORD_STORE message\n");
rid = ntohl (rp_msg->gns_header.r_id);
rd_set_count = ntohs (rp_msg->rd_set_count);
- buf = (const char *) &rp_msg[1] + key_len;
+ buf = (const char *) rp_msg + rs_off;
for (int i = 0; i < rd_set_count; i++)
{
rs = (struct RecordSet *) buf;
@@ -1770,15 +1778,12 @@ handle_record_store (void *cls, const struct RecordStoreMessage *rp_msg)
}
buf += read;
}
- sa = GNUNET_malloc (sizeof(struct StoreActivity)
- + ntohs (rp_msg->gns_header.header.size)
- - sizeof (*rp_msg));
+ sa = GNUNET_malloc (sizeof(struct StoreActivity) + rs_len);
GNUNET_CONTAINER_DLL_insert (sa_head, sa_tail, sa);
sa->nc = nc;
sa->rs = (struct RecordSet *) &sa[1];
sa->rd_set_count = rd_set_count;
- GNUNET_memcpy (&sa[1], (char *) &rp_msg[1] + key_len,
- ntohs (rp_msg->gns_header.header.size) - sizeof (*rp_msg));
+ GNUNET_memcpy (&sa[1], (char *) rp_msg + rs_off, rs_len);
sa->rid = rid;
sa->rd_set_pos = 0;
sa->private_key = zone;
--
2.38.1
| ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2023-01-29 23:39 | ulfvonbelow | New Issue | |
| 2023-01-29 23:39 | ulfvonbelow | Tag Attached: bug | |
| 2023-01-29 23:39 | ulfvonbelow | Tag Attached: patch | |
| 2023-01-29 23:39 | ulfvonbelow | File Added: 0001-NAMESTORE-fix-overread-in-handle_record_store.patch | |
| 2023-02-06 06:03 | schanzen | Assigned To | => schanzen |
| 2023-02-06 06:03 | schanzen | Status | new => resolved |
| 2023-02-06 06:03 | schanzen | Resolution | open => fixed |
| 2023-02-06 06:03 | schanzen | Fixed in Version | => 0.19.4 |
| 2023-02-06 06:03 | schanzen | Note Added: 0019764 | |
| 2023-02-06 06:19 | schanzen | Target Version | => 0.19.4 |
| 2023-06-01 20:26 | schanzen | Note Added: 0020227 | |
| 2023-06-01 20:26 | schanzen | Status | resolved => closed |
| 2024-02-29 22:46 | Christian Grothoff | Tag Detached: bug |
