[gnutls-dev] gnutls-0.3.2 bugs

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[gnutls-dev] gnutls-0.3.2 bugs

From:	Marc Huber
Subject:	[gnutls-dev] gnutls-0.3.2 bugs
Date:	Thu Jan 17 10:59:01 2002
User-agent:	Mutt/1.3.20i

Trying to follow the instructions in src/README.srpcrypt I found that

- _gnutls_sbase64_encode() doesn't NUL-terminate strings smaller than
  4 byte, and probably does the wrong thing for longer strings (I
  haven't done any in-depth auditing on this, so I might be wrong.)

- _gnutls_get_random() tries to gnutls_free() a gcry_malloc()ed pointer

- crypt_int() tries to free() a gnutls_malloc()ed pointer

- read_conf_values(): _gnutls_sbase64_decode() doesn't allocate memory
  on failure, so gnutls_free() shouldn't be called.

Cheers,

Marc


diff -cr gnutls-0.3.2.original/lib/auth_srp_sb64.c 
gnutls-0.3.2/lib/auth_srp_sb64.c
*** gnutls-0.3.2.original/lib/auth_srp_sb64.c   Tue Jul 31 03:16:01 2001
--- gnutls-0.3.2/lib/auth_srp_sb64.c    Tue Jan 15 23:15:25 2002
***************
*** 144,150 ****
  
        ret += (data_size * 4) / 3;
  
!       (*result) = gnutls_malloc( ret + 1);
        if ((*result) == NULL)
                return -1;
  
--- 144,150 ----
  
        ret += (data_size * 4) / 3;
  
!       (*result) = gnutls_calloc(1, ret + 1);
        if ((*result) == NULL)
                return -1;
  
***************
*** 171,177 ****
                        return tmp;
                }
                memcpy(&(*result)[j], tmpres, tmp);
-               (*result)[j+tmp] = 0;
        }
  
        return strlen(*result);
--- 171,176 ----
diff -cr gnutls-0.3.2.original/lib/gnutls_random.c 
gnutls-0.3.2/lib/gnutls_random.c
*** gnutls-0.3.2.original/lib/gnutls_random.c   Sun Dec 23 14:18:39 2001
--- gnutls-0.3.2/lib/gnutls_random.c    Tue Jan 15 23:03:33 2002
***************
*** 75,81 ****
      }
  
      memcpy( res, buf, bytes);
!     gnutls_free(buf);
      
      return 0;
  #endif
--- 75,81 ----
      }
  
      memcpy( res, buf, bytes);
!     gcry_free(buf);
      
      return 0;
  #endif
diff -cr gnutls-0.3.2.original/src/crypt.c gnutls-0.3.2/src/crypt.c
*** gnutls-0.3.2.original/src/crypt.c   Sun Dec 23 14:19:00 2001
--- gnutls-0.3.2/src/crypt.c    Wed Jan 16 00:17:17 2002
***************
*** 380,386 ****
                if (put==0) {
                        fprintf(fd, "%s:%s:%u\n", username, cr, iindex);
                }
!               free(cr);
                
                fclose(fd);
                fclose(fd2);
--- 380,386 ----
                if (put==0) {
                        fprintf(fd, "%s:%s:%u\n", username, cr, iindex);
                }
!               gnutls_free(cr);
                
                fclose(fd);
                fclose(fd2);
***************
*** 422,428 ****
        tmp_size = _gnutls_sbase64_decode(p, len, &tmp);
  
        if (tmp_size < 0) {
-               gnutls_free(tmp);
                return -1;
        }
        if (gcry_mpi_scan(g, GCRYMPI_FMT_USG, tmp, &tmp_size)) {
--- 422,427 ----

[Prev in Thread]

Current Thread

[Next in Thread]

[gnutls-dev] gnutls-0.3.2 bugs, Marc Huber <=
- Re: [gnutls-dev] gnutls-0.3.2 bugs, Nikos Mavroyanopoulos, 2002/01/17

Prev by Date: Re: [gnutls-dev] GNU TLS usage
Next by Date: [gnutls-dev] [PATCH] fix for a bug in gnutls_recv_handshake()
Previous by thread: [gnutls-dev] GNU TLS usage
Next by thread: Re: [gnutls-dev] gnutls-0.3.2 bugs
Index(es):
- Date
- Thread