-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix potential read buffer overflow in PACKET_strndup() #399
Conversation
Why is it better to fix the issue here than in BUF_strndup itself? The siz = BUF_strnlen(str, siz) idiom is already present there, and it could be implemented using strncpy insted of strlcpy and always set the (siz+1)th byte to NUL. |
Because I didn't think of it... indeed it may be simpler, I'll look into that. |
Thanks for the report! Mea culpa. Turns out the standard strndup contract doesn't seem to say anything about reading out of the given bound, and BUF_strndup just does what strndup promises to do, and nothing more. That said, fixing BUF_strndup, and making it part of its contract is the safe thing to do. ghedo@, would you like to have a go yourself or shall I? |
@ekasper I just pushed a new commit fixing BUF_strndup(). I'm currently running the test to check that everythin is ok. |
Pushed the correct fix now (there was a mistake in the old one). |
Looks good. You can merge if you want. |
Can we document its contract at the same time? I didn't see a comment or manual page describing the current contract. |
Ok, so I just added a brief description of |
Of course the description was wrong -.-", fixed it now. |
Though it might make more sense to put it in include/openssl/buffer.h... |
Done that now (but I can revert the change if needed). |
So, I also added the overflow check based on |
Due to its use of BUF_strlcpy(), the strlen() function will get called on the input data. However, since the input data may not end in a NUL-byte, strlen() will read from invalid memory. This also adds a check for siz overflow and some brief documentation for BUF_strndup().
Tests went good as well, so unless there are other comments I think this can be merged. |
@ekasper ping? |
Looks good, I am waiting for a second team member to review this. |
Merged in 110f7b3, so this can be closed. |
Due to its use of BUF_strndup() (which in turn uses BUF_strlcpy()) the
strlen() function will get called on the input data. However, since the
input data may not end in a NUL-byte, strlen() will read from invalid
memory.
Here's the address sanitizer report for the
packettest
test (which is howI found the problem):