View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0008052 | GNUnet | util library | public | 2024-01-09 19:10 | 2024-03-07 20:26 |
| Reporter | fefe | Assigned To | Christian Grothoff | ||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | ||
| Fixed in Version | 0.21.0 | ||||
| Summary | 0008052: GNUNET_STRINGS_urlencode: buffer overflow | ||||
| Description | This is in gnunet/src/lib/util/strings.c: 1862 size_t 1863 GNUNET_STRINGS_urlencode (const char *data, 1864 size_t len, 1865 char **out) len is ignored. The code tries to traverse the input string until it hits a 0 byte. However, if the 0 byte is in an invalid utf8-sequence, it can skip over it and read past the input buffer, causing a segmentation fault. Also note that the utf-8 validation is incomplete. It does not validate any of the bytes except the first in a sequence. | ||||
| Tags | No tags attached. | ||||
|
|
Nice catch! I checked, only used in one place in GNU Taler, and *all* callers everywhere passed exactly len==strlen(). But, of course, fixing... |
|
|
Fixed in 57ba1868520f09b41e08cfd79b89477efb9bce7d |
|
|
0.21 released |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-01-09 19:10 | fefe | New Issue | |
| 2024-01-09 19:29 | Christian Grothoff | Note Added: 0020849 | |
| 2024-01-09 19:31 | Christian Grothoff | Assigned To | => Christian Grothoff |
| 2024-01-09 19:31 | Christian Grothoff | Status | new => resolved |
| 2024-01-09 19:31 | Christian Grothoff | Resolution | open => fixed |
| 2024-01-09 19:31 | Christian Grothoff | Note Added: 0020850 | |
| 2024-01-09 20:10 | Christian Grothoff | Project | Taler => GNUnet |
| 2024-01-09 20:10 | Christian Grothoff | Category | other => util library |
| 2024-03-07 20:26 | schanzen | Fixed in Version | => 0.21.0 |
| 2024-03-07 20:26 | schanzen | Note Added: 0021795 | |
| 2024-03-07 20:26 | schanzen | Status | resolved => closed |
