http.c: potential buffer overflow
Closed, ResolvedPublic

Description

For some reason, I have a feeling the adversary controls 'line', which gnupg is
attempting to parse.

/usr/local/bin/scan-build/ccc-analyzer -DHAVE_CONFIG_H -I. -I.. -I../gl
-I../intl -DLOCALEDIR=\"/home/jwalton/gpg-analyze/share/locale\"
-DGNUPG_BINDIR="\"/home/jwalton/gpg-analyze/bin\""
-DGNUPG_LIBEXECDIR="\"/home/jwalton/gpg-analyze/libexec\""
-DGNUPG_LIBDIR="\"/home/jwalton/gpg-analyze/lib/gnupg\""
-DGNUPG_DATADIR="\"/home/jwalton/gpg-analyze/share/gnupg\""
-DGNUPG_SYSCONFDIR="\"/home/jwalton/gpg-analyze/etc/gnupg\""
-DGNUPG_LOCALSTATEDIR="\"/home/jwalton/gpg-analyze/var\""
-I/home/jwalton/gpg-analyze/include -I/usr/local/include
-I/home/jwalton/gpg-analyze/include -I/home/jwalton/gpg-analyze/include
-I/usr/include/p11-kit-1 -I/home/jwalton/gpg-analyze/include -g3 -O1 -Wall
-Wno-pointer-sign -Wpointer-arith -MT libcommontlsnpth_a-http.o -MD -MP -MF
.deps/libcommontlsnpth_a-http.Tpo -c -o libcommontlsnpth_a-http.o `test -f
'http.c' || echo './'`http.c
http.c:836:8: warning: Access to field 'in_data' results in a dereference of a
null pointer (loaded from variable 'hd')

if (!hd->in_data)
     ^~~~~~~~~~~

http.c:1884:3: warning: String copy function overflows destination buffer

strcpy (h->name, line);
^~~~~~~~~~~~~~~~~~~~~~

2 warnings generated.

Details

Version
2.1.2
JW set Version to 2.1.2.
JW added a subscriber: JW.
werner added a subscriber: werner.Mar 10 2015, 8:46 AM

On the second warning:

Please view that in context:

  /* Append a new header. */
  h = xtrymalloc (sizeof *h + strlen (line));
  if (!h)
    return gpg_err_code_from_syserror ();
  strcpy (h->name, line);

How should that overflow a buffer? It has just been allocated - also check the
definition of the struct used for h.

The first warning: The function is pretty short:

  void
  http_start_data (http_t hd)
  {
    if (!hd->in_data)
      {
        es_fputs ("\r\n", hd->fp_write);
        es_fflush (hd->fp_write);
        hd->in_data = 1;
      }
    else
      es_fflush (hd->fp_write);
  }

I do not understand how your analzyer gets to the conclusion that hd == NULL?

werner closed this task as Resolved.Mar 16 2015, 3:09 PM
werner claimed this task.
werner lowered the priority of this task from High to Normal.
werner added a project: Mistaken.
werner removed a project: Mistaken.
werner added a project: Not A Bug.