[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnunet] 15/28: NAMESTORE: fix overread in handle_record_store.
From: |
gnunet |
Subject: |
[gnunet] 15/28: NAMESTORE: fix overread in handle_record_store. |
Date: |
Mon, 06 Feb 2023 06:19:17 +0100 |
This is an automated email from the git hooks/post-receive script.
martin-schanzenbach pushed a commit to branch master
in repository gnunet.
commit eb1b1af264cfee84d2791bb68af9a8fd5d51b1f1
Author: ulfvonbelow <strilen@tilde.club>
AuthorDate: Sun Jan 29 06:38:07 2023 -0600
NAMESTORE: fix overread in handle_record_store.
A RecordStoreMessage looks like this:
| header | key | recordset |
A StoreActivity's rs field is supposed to point to the record
set. handle_record_store tries to make a copy of this record set, but it
does
it by allocating enough memory for both key and recordset, then copying
sizeof(key) + sizeof(recordset) bytes into it *starting from recordset*.
This
causes memcpy to read past the end of recordset by sizeof(key) bytes.
There's
still enough room in the allocated region for it, though, so it's only an
overread.
Signed-off-by: Martin Schanzenbach <schanzen@gnunet.org>
---
src/namestore/gnunet-service-namestore.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/src/namestore/gnunet-service-namestore.c
b/src/namestore/gnunet-service-namestore.c
index d25287c9f..ed06b1dc5 100644
--- a/src/namestore/gnunet-service-namestore.c
+++ b/src/namestore/gnunet-service-namestore.c
@@ -1735,11 +1735,19 @@ handle_record_store (void *cls, const struct
RecordStoreMessage *rp_msg)
ssize_t read;
size_t key_len;
size_t kb_read;
+ size_t rp_msg_len;
+ size_t rs_len;
+ size_t rs_off;
+ size_t body_len;
struct StoreActivity *sa;
struct RecordSet *rs;
enum GNUNET_ErrorCode res;
key_len = ntohs (rp_msg->key_len);
+ rp_msg_len = ntohs (rp_msg->gns_header.header.size);
+ body_len = rp_msg_len - sizeof (*rp_msg);
+ rs_off = sizeof (*rp_msg) + key_len;
+ rs_len = rp_msg_len - rs_off;
if ((GNUNET_SYSERR ==
GNUNET_IDENTITY_read_private_key_from_buffer (&rp_msg[1],
key_len,
@@ -1756,7 +1764,7 @@ handle_record_store (void *cls, const struct
RecordStoreMessage *rp_msg)
"Received NAMESTORE_RECORD_STORE message\n");
rid = ntohl (rp_msg->gns_header.r_id);
rd_set_count = ntohs (rp_msg->rd_set_count);
- buf = (const char *) &rp_msg[1] + key_len;
+ buf = (const char *) rp_msg + rs_off;
for (int i = 0; i < rd_set_count; i++)
{
rs = (struct RecordSet *) buf;
@@ -1770,15 +1778,12 @@ handle_record_store (void *cls, const struct
RecordStoreMessage *rp_msg)
}
buf += read;
}
- sa = GNUNET_malloc (sizeof(struct StoreActivity)
- + ntohs (rp_msg->gns_header.header.size)
- - sizeof (*rp_msg));
+ sa = GNUNET_malloc (sizeof(struct StoreActivity) + rs_len);
GNUNET_CONTAINER_DLL_insert (sa_head, sa_tail, sa);
sa->nc = nc;
sa->rs = (struct RecordSet *) &sa[1];
sa->rd_set_count = rd_set_count;
- GNUNET_memcpy (&sa[1], (char *) &rp_msg[1] + key_len,
- ntohs (rp_msg->gns_header.header.size) - sizeof (*rp_msg));
+ GNUNET_memcpy (&sa[1], (char *) rp_msg + rs_off, rs_len);
sa->rid = rid;
sa->rd_set_pos = 0;
sa->private_key = zone;
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
- [gnunet] 08/28: -GNS: use proper config file name in test_proxy.sh., (continued)
- [gnunet] 08/28: -GNS: use proper config file name in test_proxy.sh., gnunet, 2023/02/06
- [gnunet] 11/28: HELLO: fix memory leak in GNUNET_HELLO_extract_address., gnunet, 2023/02/06
- [gnunet] 17/28: PEERSTORE: fix write-after-free in handle_{iterate_end,watch_record}, gnunet, 2023/02/06
- [gnunet] 18/28: RECLAIM: rename G_D_key_covert_... to G_D_key_convert_..., gnunet, 2023/02/06
- [gnunet] 12/28: JSON: fix memory leaks in test., gnunet, 2023/02/06
- [gnunet] 06/28: DHT: remove "memory leak" in gnunet-dht-{get,put}., gnunet, 2023/02/06
- [gnunet] 05/28: -DATACACHE: fix memory leaks in tests., gnunet, 2023/02/06
- [gnunet] 07/28: FS: fix memory leak in GNUNET_FS_search_stop., gnunet, 2023/02/06
- [gnunet] 09/28: GNSRECORD: fix memory leaks in tests., gnunet, 2023/02/06
- [gnunet] 16/28: NAMESTORE: avoid use-after-free in handle_record_result., gnunet, 2023/02/06
- [gnunet] 15/28: NAMESTORE: fix overread in handle_record_store.,
gnunet <=
- [gnunet] 13/28: -NAMESTORE: fix memory leaks in tests., gnunet, 2023/02/06
- [gnunet] 14/28: NAMESTORE: fix memory leak in parse_recordline., gnunet, 2023/02/06
- [gnunet] 10/28: -HELLO: fix memory leaks in tests., gnunet, 2023/02/06
- [gnunet] 27/28: SETU: prevent misaligned access to StrataEstimatorMessage.set_size., gnunet, 2023/02/06
- [gnunet] 23/28: REVOCATION: don't leak signature purpose memory., gnunet, 2023/02/06
- [gnunet] 25/28: SETU: avoid 64-bit shift on 64-bit value., gnunet, 2023/02/06
- [gnunet] 28/28: SETU: don't leak Operation.{message_control_flow,inquiries_sent}., gnunet, 2023/02/06
- [gnunet] 19/28: RECLAIM: fix 1-byte overflow in DID_did_to_pkey., gnunet, 2023/02/06
- [gnunet] 22/28: TESTBED: don't leak helper_argv when SSH can't be executed., gnunet, 2023/02/06
- [gnunet] 24/28: REST: don't leak basic_auth_file., gnunet, 2023/02/06