View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0009327 | GNUnet | util library | public | 2024-11-04 17:11 | 2024-11-05 09:04 |
Reporter | fefe | Assigned To | schanzen | ||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | resolved | Resolution | fixed | ||
Target Version | 0.22.3 | ||||
Summary | 0009327: GNUNET_DNSPARSER_builder_add_uri: integer overflow | ||||
Description | 1258 if (*off + sizeof(struct GNUNET_TUN_DnsUriRecord) > dst_len) 1259 return GNUNET_NO; adding sizeof(...) to *off could overflow. 1262 GNUNET_memcpy (&dst[*off], &sd, sizeof(sd)); 1263 (*off) += sizeof(sd); 1264 strncpy (&dst[*off], uri->target, dst_len - sizeof(struct 1265 GNUNET_TUN_DnsUriRecord) 1266 - 1); The "- 1" could make the value negative and cause underflow, negating the length check in strncpy and causing memory corruption. 1267 (*off) += strlen (uri->target); 1268 dst[*off] = '\0'; If strncpy truncated the copy, adding strlen(src) will move *off past the end of the buffer. Writing the 0 terminator is then memory corruption. | ||||
Tags | No tags attached. | ||||
Date Modified | Username | Field | Change |
---|---|---|---|
2024-11-04 17:11 | fefe | New Issue | |
2024-11-04 19:26 | schanzen | Target Version | => 0.22.3 |
2024-11-05 09:04 | schanzen | Changeset attached | => gnunet master c87c8366 |
2024-11-05 09:04 | schanzen | Note Added: 0023661 | |
2024-11-05 09:04 | schanzen | Assigned To | => schanzen |
2024-11-05 09:04 | schanzen | Status | new => resolved |
2024-11-05 09:04 | schanzen | Resolution | open => fixed |