From 15f93ef1a40f29fad8800222706c229a79c294d1 Mon Sep 17 00:00:00 2001 From: Timo Pollmeier Date: Tue, 21 Mar 2023 11:38:14 +0100 Subject: [PATCH] Fix: Use source size copying strings with memcpy (cherry picked from commit 297cee37ec7a0aa62a7a1394d164124656f5c966) --- base/networking.c | 5 ++++- base/prefs.c | 7 ++----- base/proctitle.c | 2 +- osp/osp.c | 9 ++++++++- util/passwordbasedauthentication.c | 15 ++++++++++++++- 5 files changed, 29 insertions(+), 9 deletions(-) diff --git a/base/networking.c b/base/networking.c index 7a1170cb6..d063bce1f 100644 --- a/base/networking.c +++ b/base/networking.c @@ -81,6 +81,9 @@ gvm_source_iface_init (const char *iface) if (iface == NULL) return ret; + if (strlen (iface) >= sizeof (global_source_iface)) + return ret; + if (getifaddrs (&ifaddr) == -1) return ret; @@ -111,7 +114,7 @@ gvm_source_iface_init (const char *iface) /* At least one address for the interface was found. */ if (ret == 0) - memcpy (global_source_iface, iface, sizeof (global_source_iface) - 1); + memcpy (global_source_iface, iface, strlen (iface)); freeifaddrs (ifaddr); return ret; diff --git a/base/prefs.c b/base/prefs.c index b871c8420..20ec0bd84 100644 --- a/base/prefs.c +++ b/base/prefs.c @@ -170,14 +170,11 @@ void prefs_config (const char *config) { settings_iterator_t settings; - char buffer[2048]; if (!global_prefs) prefs_init (); - memset (buffer, 0, sizeof (buffer)); - memcpy (buffer, config, sizeof (buffer) - 1); - if (!init_settings_iterator_from_file (&settings, buffer, "Misc")) + if (!init_settings_iterator_from_file (&settings, config, "Misc")) { while (settings_iterator_next (&settings)) prefs_set (settings_iterator_name (&settings), @@ -186,7 +183,7 @@ prefs_config (const char *config) cleanup_settings_iterator (&settings); } - prefs_set ("config_file", buffer); + prefs_set ("config_file", config); } /** diff --git a/base/proctitle.c b/base/proctitle.c index 54e735b2f..e6133898e 100644 --- a/base/proctitle.c +++ b/base/proctitle.c @@ -129,7 +129,7 @@ proctitle_set_args (const char *new_title, va_list args) formatted = g_strdup_vprintf (new_title, args); tmp = strlen (formatted); - if (tmp > max_prog_name) + if (tmp >= max_prog_name) { formatted[max_prog_name] = '\0'; tmp = max_prog_name; diff --git a/osp/osp.c b/osp/osp.c index c0b088829..8e3b60942 100644 --- a/osp/osp.c +++ b/osp/osp.c @@ -143,6 +143,13 @@ osp_connection_new (const char *host, int port, const char *cacert, struct sockaddr_un addr; int len; + if (strlen (host) >= sizeof (addr.sun_path)) + { + g_warning ("%s: given host / socket path too long (%lu > %lu bytes)", + __func__, strlen (host), sizeof (addr.sun_path) - 1); + return NULL; + } + connection = g_malloc0 (sizeof (*connection)); connection->socket = socket (AF_UNIX, SOCK_STREAM, 0); if (connection->socket == -1) @@ -153,7 +160,7 @@ osp_connection_new (const char *host, int port, const char *cacert, addr.sun_family = AF_UNIX; memset (addr.sun_path, 0, sizeof (addr.sun_path)); - memcpy (addr.sun_path, host, sizeof (addr.sun_path) - 1); + memcpy (addr.sun_path, host, strlen (host)); len = strlen (addr.sun_path) + sizeof (addr.sun_family); if (connect (connection->socket, (struct sockaddr *) &addr, len) == -1) { diff --git a/util/passwordbasedauthentication.c b/util/passwordbasedauthentication.c index a3c3fafe4..47efaf082 100644 --- a/util/passwordbasedauthentication.c +++ b/util/passwordbasedauthentication.c @@ -231,16 +231,28 @@ pba_verify_hash (const struct PBASettings *setting, const char *hash, struct crypt_data *data = NULL; int i = 0; enum pba_rc result = ERR; + + char *invalid_hash = calloc (1, CRYPT_OUTPUT_SIZE); + memset (invalid_hash, 0, CRYPT_OUTPUT_SIZE); + memcpy (invalid_hash, INVALID_HASH, strlen (INVALID_HASH)); + if (!setting) goto exit; if (!is_prefix_supported (setting->prefix)) goto exit; if (pba_is_phc_compliant (hash) != 0) { + int hash_size; + hash_size = hash ? strlen (hash) : strlen (invalid_hash); + data = calloc (1, sizeof (struct crypt_data)); // manipulate hash to reapply pepper tmp = calloc (1, CRYPT_OUTPUT_SIZE); - memcpy (tmp, hash ? hash : INVALID_HASH, CRYPT_OUTPUT_SIZE); + + memset (tmp, 0, CRYPT_OUTPUT_SIZE); + memcpy (tmp, hash ? hash : invalid_hash, + (hash_size < CRYPT_OUTPUT_SIZE) ? hash_size + : CRYPT_OUTPUT_SIZE - 1); cmp = strrchr (tmp, '$'); for (i = MAX_PEPPER_SIZE - 1; i > -1; i--) { @@ -273,6 +285,7 @@ pba_verify_hash (const struct PBASettings *setting, const char *hash, result = INVALID; } exit: + free (invalid_hash); if (data != NULL) free (data); if (tmp != NULL)