0008108: decode_keys_json: integer truncation - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0008108	Taler	exchange	public	2024-01-18 15:47	2024-03-07 20:47

Reporter	fefe	Assigned To	Christian Grothoff
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	fixed
Product Version	git (master)
Target Version	0.9.4	Fixed in Version	0.9.4

Summary	0008108: decode_keys_json: integer truncation
Description	958 unsigned int index; 963 json_array_foreach (global_fees, index, global_fee) 979 unsigned int index; 984 json_array_foreach (sign_keys_array, index, sign_key_obj) { These should be size_t as json_array_size is assigned in the macro, which returns a size_t.
Tags	No tags attached.

fefe 2024-01-18 16:02 developer ~0020904	Also (this is a loooong function!): 1000 for (unsigned int i = 0; i<key_data->wblwk_length; i++) 1035 GNUNET_log (GNUNET_ERROR_TYPE_INFO, 1036 "Parsed %u wire accounts from JSON\n", 1037 (unsigned int) json_array_size (accounts)); (don't cast to unsigned int, use %zu instead) 1076 unsigned int group_idx; 1095 unsigned int index; 1129 for (unsigned int j = 0; 1168 unsigned int index; 1184 for (unsigned int j = 0; j<key_data->num_auditors; j++) 1198 for (unsigned int i = 0; i<ai.num_denom_keys; i++) 1202 for (unsigned int k = 0; k<aix->num_denom_keys; k++) (it's not a bug to use size_t to iterate over uint32_t but it's a bug the other way around) 1240 unsigned int index; 1255 for (unsigned int j = 0; 1279 for (unsigned int i = 0; i<sig_ctx.elements_pos; i++) The function also has four levels of nested loops. It may be possible to run a denial of service attack by sending a lot of material as the exchange.

fefe 2024-01-18 16:33 developer ~0020905	next, in keys_completed_cb (same file): 1388 for (unsigned int i = 0; i<kd_old->num_denom_keys; i++) 1395 for (unsigned int i = 0; i<kd_old->num_auditors; i++)

fefe 2024-01-18 16:57 developer ~0020906	Also further down in the same file: 1819 for (unsigned int i = 0; i<keys->num_denom_keys; i++) 1848 for (unsigned int i = 0; i<keys->num_denom_keys; i++) 1854 for (unsigned int i = 0; i<keys->num_auditors; i++)

fefe 2024-01-18 17:37 developer ~0020907	Still further down: 2090 for (unsigned int i = 0; i<kd->num_sign_keys; i++) 2123 for (unsigned int i = 0; i<kd->num_denom_keys; i++) 2202 for (unsigned int i = 0; i<kd->num_auditors; i++) 2210 for (unsigned int j = 0; j<ai->num_denom_keys; j++) 2248 for (unsigned int i = 0; i<kd->num_global_fees; i++) 2277 for (unsigned int i = 0; i<kd->accounts_len; i++) 2316 for (unsigned int i = 0; i<kd->fees_len; i++) 2352 for (unsigned int i = 0; i<kd->num_denom_keys; i++) 2368 for (unsigned int i = 0; i<kd->wblwk_length; i++)

Christian Grothoff 2024-01-18 22:49 manager ~0020915	Already fixed as part of 9e709172..b52ec7df for 0008107.

Date Modified	Username	Field	Change
2024-01-18 15:47	fefe	New Issue
2024-01-18 15:47	fefe	Status	new => assigned
2024-01-18 15:47	fefe	Assigned To	=> Christian Grothoff
2024-01-18 16:02	fefe	Note Added: 0020904
2024-01-18 16:33	fefe	Note Added: 0020905
2024-01-18 16:57	fefe	Note Added: 0020906
2024-01-18 17:37	fefe	Note Added: 0020907
2024-01-18 22:49	Christian Grothoff	Note Added: 0020915
2024-01-18 22:49	Christian Grothoff	Status	assigned => resolved
2024-01-18 22:49	Christian Grothoff	Resolution	open => fixed
2024-01-18 22:49	Christian Grothoff	Fixed in Version	=> 0.9.4
2024-01-18 22:49	Christian Grothoff	Relationship added	related to 0008107
2024-01-18 22:49	Christian Grothoff	Product Version	=> git (master)
2024-01-18 22:49	Christian Grothoff	Target Version	=> 0.9.4
2024-01-18 23:30	Christian Grothoff	Relationship added	child of 0008112
2024-03-07 20:47	Christian Grothoff	Status	resolved => closed