Page MenuHome GnuPG

Possible buffer overflow in src/keyserver.c
Closed, ResolvedPublic


I ran the clang tool to build gpa and to check for issues and there might be one
in src/keyserver.c. The struct ServerName contains:

char name[1];

However, later you do an strcpy(x->name, name) (line 72) where name is larger
than x->name.

Further in src/server.c in the function prepare_io_streams() the variable err
has no initial value. If I always take the false condition of the following
tests, it won't get any value. But at line 548 it is then tested. Maybe err
should get an initial value?



Event Timeline

The second thing I was wondering about was, is line 71:

x = g_malloc (sizeof *x + strlen (name) );

strlen() won't count the terminating byte whereas strcpy will copy it.

The malloc + strcpy is a standard pattern. Example;

  struct {
    int flags;
    char name[1];
  } *foo;

  foo = xmalloc (sizeof *foo + strlen (string));
  strcpy (foo->name, string);

will always work correctly. The sizeof returns the length of the
structure which includes 1 byte for name. The strlen computes the
length of string without the terminator. However we alloacted one
extra byte (the name[1]) and thus everything is fine.

Regarding the ERR thing: You are right and I wonder why gcc (4.6.3) didn't
caught it.

werner claimed this task.

Fix pushed.

werner removed a project: Testing.

0.9.3 has been released.