View Issue Details

Related ChangesetsJump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0009286GNUnetutil librarypublic2024-10-21 15:512024-10-29 20:56
Reporterfefe Assigned Toschanzen  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Target Version0.22.2Fixed in Version0.22.2 
Summary0009286: GNUNET_asprintf: don't call vsprintf
Description  363 int
  364 GNUNET_asprintf (char **buf,
  365 const char *format,
  366 ...)
  367 {
  368 int ret;
  369 va_list args;
  370
  371 va_start (args,
  372 format);
  373 ret = vsnprintf (NULL,
  374 0,
  375 format,
  376 args);
  377 va_end (args);
  378 GNUNET_assert (ret >= 0);
  379 *buf = GNUNET_malloc (ret + 1);
  380 va_start (args, format);
  381 ret = vsprintf (*buf,
  382 format,
  383 args);
  384 va_end (args);
  385 return ret;
  386 }

It is possible to construct a format string that will cause the resulting length to cause overflow in vsnprintf.
As a defense in depth measure, don't call vsprintf but vsnprintf.
TagsNo tags attached.

Relationships

related to 0009291 closedschanzen GNUNET_CONFIGURATION_serialize: confused code 

Activities

schanzen

2024-10-25 15:35

administrator   ~0023602

I do not understand this report. The function already calls vsnprintf to get the number of bytes required. Then it allocates a buffer of sufficient length and then calls vsprintf on that buffer. This will obviously then never overflow?
We could call vsnprintf again, of course. But with 0 actual impact (?)

schanzen

2024-10-29 13:15

administrator   ~0023614

Fix committed to master branch.

schanzen

2024-10-29 20:56

administrator   ~0023621

Released

Related Changesets

gnunet: master 26321069

2024-10-29 14:15

schanzen


Details Diff		 util: Do not use vsprintf internally. Fixes 0009286 Affected Issues
0009286
mod - src/lib/util/common_allocation.c Diff File

Issue History

Date Modified Username Field Change
2024-10-21 15:51 fefe New Issue
2024-10-23 13:19 schanzen Target Version => 0.22.2
2024-10-25 15:33 schanzen Relationship added related to 0009291
2024-10-25 15:35 schanzen Note Added: 0023602
2024-10-25 15:35 schanzen Assigned To => schanzen
2024-10-25 15:35 schanzen Status new => assigned
2024-10-29 13:15 schanzen Changeset attached => gnunet master 26321069
2024-10-29 13:15 schanzen Note Added: 0023614
2024-10-29 13:15 schanzen Status assigned => resolved
2024-10-29 13:15 schanzen Resolution open => fixed
2024-10-29 20:53 schanzen Fixed in Version => 0.22.2
2024-10-29 20:56 schanzen Note Added: 0023621
2024-10-29 20:56 schanzen Status resolved => closed