0009327: GNUNET_DNSPARSER_builder_add_uri: integer overflow

ID	Project	Category	View Status	Date Submitted	Last Update

0009327	GNUnet	util library	public	2024-11-04 17:11	2024-11-05 09:04

Reporter	fefe	Assigned To	schanzen
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	resolved	Resolution	fixed
Target Version	0.22.3

Summary	0009327: GNUNET_DNSPARSER_builder_add_uri: integer overflow
Description	1258 if (off + sizeof(struct GNUNET_TUN_DnsUriRecord) > dst_len) 1259 return GNUNET_NO; adding sizeof(...) to off could overflow. 1262 GNUNET_memcpy (&dst[off], &sd, sizeof(sd)); 1263 (off) += sizeof(sd); 1264 strncpy (&dst[off], uri->target, dst_len - sizeof(struct 1265 GNUNET_TUN_DnsUriRecord) 1266 - 1); The "- 1" could make the value negative and cause underflow, negating the length check in strncpy and causing memory corruption. 1267 (off) += strlen (uri->target); 1268 dst[off] = '\0'; If strncpy truncated the copy, adding strlen(src) will move off past the end of the buffer. Writing the 0 terminator is then memory corruption.
Tags	No tags attached.

Date Modified	Username	Field	Change
2024-11-04 17:11	fefe	New Issue
2024-11-04 19:26	schanzen	Target Version	=> 0.22.3
2024-11-05 09:04	schanzen	Changeset attached	=> gnunet master c87c8366
2024-11-05 09:04	schanzen	Note Added: 0023661
2024-11-05 09:04	schanzen	Assigned To	=> schanzen
2024-11-05 09:04	schanzen	Status	new => resolved
2024-11-05 09:04	schanzen	Resolution	open => fixed

gnunet: master c87c8366 2024-11-05 10:03 schanzen Details Diff	util: fix integer overflow in URI parsing. Fixes 0009327	Affected Issues 0009327
	mod - src/cli/hello/gnunet-hello.c	Diff File
	mod - src/lib/util/dnsparser.c	Diff File

schanzen 2024-11-05 09:04 administrator ~0023661	Fix committed to master branch.