View Issue Details

Related ChangesetsJump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0009279GNUnetutil librarypublic2024-10-18 15:022024-10-29 20:56
Reporterfefe Assigned Toschanzen  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product VersionGit master 
Target Version0.22.2Fixed in Version0.22.2 
Summary0009279: GNUNET_buffer_write_data_encoded: integer overflow
DescriptionIn buffer.c:

  264 void
  265 GNUNET_buffer_write_data_encoded (struct GNUNET_Buffer *buf,
  266 const void *data,
  267 size_t data_len)
  268 {
  269 size_t outlen = data_len * 8;

This can overflow.

  271 if (outlen % 5 > 0)
  272 outlen += 5 - outlen % 5;
  273 outlen /= 5;

Line 272 can overflow.
It's probably better to write this as:

  int roundup = (outlen % 5 > 0);
  outlen = (outlen / 5) + roundup;

TagsNo tags attached.

Activities

fefe

2024-10-18 15:18

reporter   ~0023545

actually since *8 means we can always add 0..7 without overflow checking, you could write it as

  outlen = (outlen + 4) / 5;

schanzen

2024-10-23 21:34

administrator   ~0023579

I don't understand the comment:
We can assert that (data_len <= SIZE_MAX / 8) such that line 269 does not overflow. But if data_len == SIZE_MAX / 8 then the above will overflow surely?

fefe

2024-10-24 12:37

reporter   ~0023588

The *8 can overflow (and I didn't quote line 270 which checks for it IIRC) but not the +4.

integer * 8 is like a left shift by three. The rightmost 3 bits will always be zero. Which means you can add up to 7 without overflow check.

schanzen

2024-10-24 13:25

administrator   ~0023591

Fix committed to master branch.

schanzen

2024-10-29 20:56

administrator   ~0023630

Released

Related Changesets

gnunet: master 95fc6b46

2024-10-24 15:24

schanzen


Details Diff		 util: Fix integer overflow in buffer writer. Fixes 0009279 Affected Issues
0009279
mod - src/lib/util/buffer.c Diff File

Issue History

Date Modified Username Field Change
2024-10-18 15:02 fefe New Issue
2024-10-18 15:18 fefe Note Added: 0023545
2024-10-23 13:20 schanzen Target Version => 0.22.2
2024-10-23 21:34 schanzen Note Added: 0023579
2024-10-23 21:34 schanzen Assigned To => schanzen
2024-10-23 21:34 schanzen Status new => assigned
2024-10-24 12:37 fefe Note Added: 0023588
2024-10-24 13:25 schanzen Changeset attached => gnunet master 95fc6b46
2024-10-24 13:25 schanzen Note Added: 0023591
2024-10-24 13:25 schanzen Status assigned => resolved
2024-10-24 13:25 schanzen Resolution open => fixed
2024-10-24 13:26 schanzen Fixed in Version => 0.22.2
2024-10-29 20:56 schanzen Note Added: 0023630
2024-10-29 20:56 schanzen Status resolved => closed