View Issue Details

IDProjectCategoryView StatusLast Update
0009327GNUnetutil librarypublic2024-11-05 09:04
Reporterfefe Assigned Toschanzen  
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Target Version0.22.3 
Summary0009327: GNUNET_DNSPARSER_builder_add_uri: integer overflow
Description  1258 if (*off + sizeof(struct GNUNET_TUN_DnsUriRecord) > dst_len)
  1259 return GNUNET_NO;

adding sizeof(...) to *off could overflow.

  1262 GNUNET_memcpy (&dst[*off], &sd, sizeof(sd));
  1263 (*off) += sizeof(sd);
  1264 strncpy (&dst[*off], uri->target, dst_len - sizeof(struct
  1265 GNUNET_TUN_DnsUriRecord)
  1266 - 1);

The "- 1" could make the value negative and cause underflow, negating the length check in strncpy and causing memory corruption.

  1267 (*off) += strlen (uri->target);
  1268 dst[*off] = '\0';

If strncpy truncated the copy, adding strlen(src) will move *off past the end of the buffer.
Writing the 0 terminator is then memory corruption.
TagsNo tags attached.

Activities

schanzen

2024-11-05 09:04

administrator   ~0023661

Fix committed to master branch.

Related Changesets

gnunet: master c87c8366

2024-11-05 10:03

schanzen


Details Diff
util: fix integer overflow in URI parsing. Fixes 0009327 Affected Issues
0009327
mod - src/cli/hello/gnunet-hello.c Diff File
mod - src/lib/util/dnsparser.c Diff File

Issue History

Date Modified Username Field Change
2024-11-04 17:11 fefe New Issue
2024-11-04 19:26 schanzen Target Version => 0.22.3
2024-11-05 09:04 schanzen Changeset attached => gnunet master c87c8366
2024-11-05 09:04 schanzen Note Added: 0023661
2024-11-05 09:04 schanzen Assigned To => schanzen
2024-11-05 09:04 schanzen Status new => resolved
2024-11-05 09:04 schanzen Resolution open => fixed