Permalink
Browse files

Prevent integer overflow on 64-bit architectures when receiving 4GB m…

…essages

In several places in proto.c, the sizes of portions of incoming messages
were stored in variables of type int or unsigned int instead of size_t.
If a message arrives with very large sizes (for example unsigned int
datalen = UINT_MAX), then constructions like malloc(datalen+1) will turn
into malloc(0), which on some architectures returns a non-NULL pointer,
but UINT_MAX bytes will get written to that pointer.

Ensure all calls to malloc or realloc cannot integer overflow like this.

Thanks to Markus Vervier of X41 D-Sec GmbH <markus.vervier@x41-dsec.de>
for the report.

Signed-off-by: Ian Goldberg <iang@cs.uwaterloo.ca>
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
  • Loading branch information...
Ian Goldberg
Ian Goldberg committed Mar 3, 2016
1 parent c976dfd commit ecfd4f468690af6e66b5bf92315972b86071ac1c
Showing with 7 additions and 7 deletions.
  1. +7 −7 src/proto.c
@@ -715,7 +715,7 @@ gcry_error_t otrl_proto_accept_data(char **plaintextp, OtrlTLV **tlvsp,
unsigned int sender_keyid, recipient_keyid;
gcry_mpi_t sender_next_y = NULL;
unsigned char ctr[8];
unsigned int datalen, reveallen;
size_t datalen, reveallen;
unsigned char *data = NULL;
unsigned char *nul = NULL;
unsigned char givenmac[20];
@@ -916,7 +916,7 @@ OtrlFragmentResult otrl_proto_fragment_accumulate(char **unfragmessagep,
if (k > 0 && n > 0 && k <= n && start > 0 && end > 0 && start < end) {
if (k == 1) {
int fraglen = end - start - 1;
size_t fraglen = end - start - 1;
size_t newsize = fraglen + 1;
free(context->context_priv->fragment);
context->context_priv->fragment = NULL;
@@ -937,7 +937,7 @@ OtrlFragmentResult otrl_proto_fragment_accumulate(char **unfragmessagep,
}
} else if (n == context->context_priv->fragment_n &&
k == context->context_priv->fragment_k + 1) {
int fraglen = end - start - 1;
size_t fraglen = end - start - 1;
char *newfrag = NULL;
size_t newsize = context->context_priv->fragment_len + fraglen + 1;
/* Check for overflow */
@@ -989,10 +989,10 @@ gcry_error_t otrl_proto_fragment_create(int mms, int fragment_count,
char ***fragments, ConnContext *context, const char *message)
{
char *fragdata;
int fragdatalen = 0;
size_t fragdatalen = 0;
int curfrag = 0;
int index = 0;
int msglen = strlen(message);
size_t index = 0;
size_t msglen = strlen(message);
/* Should vary by number of msgs */
int headerlen = context->protocol_version == 3 ? 37 : 19;
@@ -1012,7 +1012,7 @@ gcry_error_t otrl_proto_fragment_create(int mms, int fragment_count,
int i;
char *fragmentmsg;
if (msglen - index < mms - headerlen) {
if (msglen - index < (size_t)(mms - headerlen)) {
fragdatalen = msglen - index;
} else {
fragdatalen = mms - headerlen;

0 comments on commit ecfd4f4

Please sign in to comment.