Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

box: fix out of bound write in error_payload_destroy() #9114

Merged
merged 1 commit into from
Sep 11, 2023
Merged

box: fix out of bound write in error_payload_destroy() #9114

merged 1 commit into from
Sep 11, 2023

Conversation

Gumix
Copy link
Contributor

@Gumix Gumix commented Sep 7, 2023

If strlen(name) is 1, value_size is 1, and extra is 0, then 15 bytes are allocated for struct error_field in error_payload_prepare(). However, the size of this structure is 16 because of the padding for the alignment. Thus TRASH() in error_payload_destroy() writes 1 byte beyond the structure.

Closes #9098

@Gumix Gumix requested review from a team as code owners September 7, 2023 17:10
@Gumix Gumix requested a review from locker September 7, 2023 18:03
locker
locker requested changes Sep 8, 2023
View reviewed changes
changelogs/unreleased/gh-9098-out-of-bound-write-in-error_payload_destroy.md Outdated Show resolved Hide resolved
src/lib/core/error_payload.c Outdated Show resolved Hide resolved
test/unit/xrow.cc Outdated Show resolved Hide resolved
@locker locker assigned Gumix and unassigned locker Sep 8, 2023
@Gumix
box: fix out of bound write in error_payload_destroy()
077d23d 
If `strlen(name)` is 1, `value_size` is 1, and `extra` is 0, then 15 bytes
are allocated for `struct error_field` in error_payload_prepare(). However,
the size of this structure is 16 because of the padding for the alignment.
Thus TRASH() in error_payload_destroy() writes 1 byte beyond the structure.

Closes tarantool#9098

NO_DOC=bugfix
@Gumix Gumix force-pushed the iverbin/gh-9098-heap-buffer-overflow-in-xrow_decode_error branch from d927d3a to 077d23d Compare September 8, 2023 18:58
@coveralls
Copy link

Coverage Status

coverage: 86.385% (+0.02%) from 86.368% when pulling 077d23d on Gumix:iverbin/gh-9098-heap-buffer-overflow-in-xrow_decode_error into ae5964a
on tarantool:master.

@Gumix Gumix requested a review from locker September 8, 2023 19:29
@Gumix Gumix assigned locker and unassigned Gumix Sep 8, 2023
@locker locker added the full-ci Enables all tests for a pull request label Sep 11, 2023
@locker locker merged commit 454ffd1 into tarantool:master Sep 11, 2023
101 checks passed
@locker
Copy link
Member

locker commented Sep 11, 2023

Cherry-picked to 2.11.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@locker locker locker approved these changes

@ochaplashkin ochaplashkin ochaplashkin approved these changes

@p7nov p7nov p7nov approved these changes

Assignees

@locker locker

Labels
full-ci Enables all tests for a pull request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Heap buffer overflow in xrow_decode_error
5 participants
@Gumix @coveralls @locker @ochaplashkin @p7nov