Page MenuHome GnuPG
Create Task
Maniphest T1416

Possible buffer overflow in src/keyserver.c
Closed, ResolvedPublic
Actions

Description

I ran the clang tool to build gpa and to check for issues and there might be one
in src/keyserver.c. The struct ServerName contains:

char name[1];

However, later you do an strcpy(x->name, name) (line 72) where name is larger
than x->name.

Further in src/server.c in the function prepare_io_streams() the variable err
has no initial value. If I always take the false condition of the following
tests, it won't get any value. But at line 548 it is then tested. Maybe err
should get an initial value?

Details

Version
0.9.2

Event Timeline

dleidert set Version to 0.9.2.Jul 14 2012, 6:05 PM
dleidert added projects: gpa, Bug Report.
dleidert added a subscriber: dleidert.
dleidert added a comment.Jul 14 2012, 6:10 PM

The second thing I was wondering about was, is line 71:

x = g_malloc (sizeof *x + strlen (name) );

strlen() won't count the terminating byte whereas strcpy will copy it.

werner added a subscriber: werner.Jul 18 2012, 2:13 PM

The malloc + strcpy is a standard pattern. Example;

  struct {
    int flags;
    char name[1];
  } *foo;

  foo = xmalloc (sizeof *foo + strlen (string));
  strcpy (foo->name, string);

will always work correctly. The sizeof returns the length of the
structure which includes 1 byte for name. The strlen computes the
length of string without the terminator. However we alloacted one
extra byte (the name[1]) and thus everything is fine.

werner added a comment.Jul 18 2012, 2:17 PM

Regarding the ERR thing: You are right and I wonder why gcc (4.6.3) didn't
caught it.

werner closed this task as Resolved.Jul 18 2012, 2:23 PM
werner claimed this task.

Fix pushed.

werner reopened this task as Open.Jul 18 2012, 2:24 PM
werner added a project: Restricted Project.Aug 8 2012, 6:18 AM
werner closed this task as Resolved.Aug 9 2012, 4:06 PM
werner removed a project: Restricted Project.

0.9.3 has been released.