View Issue Details

Related ChangesetsJump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0008046GNUnetutil librarypublic2024-01-09 16:372024-03-07 20:26
Reporterfefe Assigned ToChristian Grothoff  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Fixed in Version0.21.0 
Summary0008046: GNUNET_STRINGS_to_address_ipv6: don't use uint16_t for addrlen
DescriptionThis is in gnunet/src/lib/util/strings.c:

1033 enum GNUNET_GenericReturnValue
1034 GNUNET_STRINGS_to_address_ipv6 (const char *zt_addr,
1035 uint16_t addrlen,
1036 struct sockaddr_in6 *r_buf)
1037 {
1038 char zbuf[addrlen + 1];

Always use size_t for lengths, otherwise there might be silent truncation when someone calls you with a larger value.
For example here, in the same file:

1149 size_t
1150 GNUNET_STRINGS_parse_socket_addr (const char *addr,
1151 uint8_t *af,
1152 struct sockaddr **sa)
1153 {
1154 char *cp = GNUNET_strdup (addr);
1155
1156 *af = AF_UNSPEC;
1157 if ('[' == *addr)
1158 {
1159 /* IPv6 */
1160 *sa = GNUNET_malloc (sizeof(struct sockaddr_in6));
1161 if (GNUNET_OK !=
1162 GNUNET_STRINGS_to_address_ipv6 (cp,
1163 strlen (cp),
1164 (struct sockaddr_in6 *) *sa))

strlen() returns a size_t and the input string could be longer than 64k if the caller was tricked or didn't check.
It's better to take size_t and check yourself so the caller being tricked won't derail your logic.
It's probably also not a good idea to use variable length stack arrays in a library function. You may be called in a pthread with 8k stack space, and this could cause a stack overrun and memory corruption. Thread stacks nowadays tend to have guard pages but using alloca or a VLA can skip over the guard page and corrupt memory. gcc does not generate code to touch the pages while extending the stack.
TagsNo tags attached.

Activities

Christian Grothoff

2024-01-09 19:09

manager   ~0020844

Changed type, added sanity check on addrlen to protect stack against large allocations.

Christian Grothoff

2024-01-09 19:09

manager   ~0020845

Fix committed to master branch.

schanzen

2024-03-07 20:26

administrator   ~0021800

0.21 released

Related Changesets

gnunet: master 86323ede

2024-01-09 20:08

Christian Grothoff


Details Diff		 fix 0008046 Affected Issues
0008046
mod - src/include/gnunet_strings_lib.h Diff File
mod - src/lib/util/strings.c Diff File

Issue History

Date Modified Username Field Change
2024-01-09 16:37 fefe New Issue
2024-01-09 19:09 Christian Grothoff Note Added: 0020844
2024-01-09 19:09 Christian Grothoff Changeset attached => gnunet master 86323ede
2024-01-09 19:09 Christian Grothoff Note Added: 0020845
2024-01-09 19:09 Christian Grothoff Assigned To => Christian Grothoff
2024-01-09 19:09 Christian Grothoff Status new => resolved
2024-01-09 19:09 Christian Grothoff Resolution open => fixed
2024-01-09 20:10 Christian Grothoff Project Taler => GNUnet
2024-01-09 20:10 Christian Grothoff Category other => util library
2024-03-07 20:26 schanzen Fixed in Version => 0.21.0
2024-03-07 20:26 schanzen Note Added: 0021800
2024-03-07 20:26 schanzen Status resolved => closed