Page MenuHome GnuPG

http.c: potential buffer overflow
Closed, ResolvedPublic


For some reason, I have a feeling the adversary controls 'line', which gnupg is
attempting to parse.

/usr/local/bin/scan-build/ccc-analyzer -DHAVE_CONFIG_H -I. -I.. -I../gl
-I../intl -DLOCALEDIR=\"/home/jwalton/gpg-analyze/share/locale\"
-I/home/jwalton/gpg-analyze/include -I/usr/local/include
-I/home/jwalton/gpg-analyze/include -I/home/jwalton/gpg-analyze/include
-I/usr/include/p11-kit-1 -I/home/jwalton/gpg-analyze/include -g3 -O1 -Wall
-Wno-pointer-sign -Wpointer-arith -MT libcommontlsnpth_a-http.o -MD -MP -MF
.deps/libcommontlsnpth_a-http.Tpo -c -o libcommontlsnpth_a-http.o `test -f
'http.c' || echo './'`http.c
http.c:836:8: warning: Access to field 'in_data' results in a dereference of a
null pointer (loaded from variable 'hd')

if (!hd->in_data)

http.c:1884:3: warning: String copy function overflows destination buffer

strcpy (h->name, line);

2 warnings generated.



Event Timeline

JW set Version to 2.1.2.
JW added a subscriber: JW.

On the second warning:

Please view that in context:

  /* Append a new header. */
  h = xtrymalloc (sizeof *h + strlen (line));
  if (!h)
    return gpg_err_code_from_syserror ();
  strcpy (h->name, line);

How should that overflow a buffer? It has just been allocated - also check the
definition of the struct used for h.

The first warning: The function is pretty short:

  http_start_data (http_t hd)
    if (!hd->in_data)
        es_fputs ("\r\n", hd->fp_write);
        es_fflush (hd->fp_write);
        hd->in_data = 1;
      es_fflush (hd->fp_write);

I do not understand how your analzyer gets to the conclusion that hd == NULL?

werner claimed this task.
werner lowered the priority of this task from High to Normal.
werner added a project: Mistaken.
werner removed a project: Mistaken.
werner added a project: Not A Bug.