Re: unlikely integer overflow in gzsig

LinkBack

Thread Tools

Display Modes

#1 (permalink)

02-22-2008, 12:17 PM

Otto Moerbeek

Posts: n/a

Re: unlikely integer overflow in gzsig

On Sat, 1 Apr 2006, Tobias Stoeckmann wrote:

> Hi,
>
> there is a possible (but veeery unlikely) integer overflow in gzsig
> during the load of public and private keys. First off I will post the
> affected code:
>
> struct stat st;
> ...
> if (fstat(fd, &st) < 0)
> return (-1);
> ...
> if (st.st_size == 0) {
> errno = EINVAL;
> return (-1);
> }
> if ((iov->iov_base = malloc(st.st_size + 1)) == NULL)
> return (-1);
>
> iov->iov_len = st.st_size;
> ((u_char *)iov->iov_base)[iov->iov_len] = '\0';
>
> if (read(fd, iov->iov_base, iov->iov_len) != iov->iov_len) {
>
> st_size is of type off_t which is 64 bit. malloc expects a variable
> of type size_t which is (at least on my arch) 32 bit. If st_size
> would be SIZE_T_MAX, malloc would allocate 0 bytes. In this case,
> the following steps would assume that the reserved memory block
> would be SIZE_T_MAX (because iov_len, which is of type size_t, can
> store that value). In this special case it is likely that a
> segmentation fault happens as there would be a lot of data in the
> file referenced with fd.
>
> Therefore I think st.st_size should be checked for a max value.
> My patch suggests ULONG_MAX, perhaps there is a better way for this?

It is better to check against SIZE_T_MAX

>
> --- usr.bin/gzsig/key.c~ Sat Apr 1 16:46:42 2006
> +++ usr.bin/gzsig/key.c Sat Apr 1 16:47:58 2006
> @@ -33,6 +33,7 @@
> * $Vendor: key.c,v 1.2 2005/04/01 16:47:31 dugsong Exp $
> */
>
> +#include <sys/limits.h>
> #include <sys/types.h>
> #include <sys/stat.h>
> #include <sys/uio.h>
> @@ -78,7 +79,7 @@
> if (fstat(fd, &st) < 0)
> return (-1);
>
> - if (st.st_size == 0) {
> + if (st.st_size == 0 || st.st_size > ULONG_MAX - 1) {
> errno = EINVAL;
> return (-1);
> }
>
>
> I would like to get feedback (of any kind) about this as I am very
> new about these kind of errors. Perhaps my assumption that someone
> would craft a public oder private key 8 gb in size is so idiotic that
> nobody will care about this ...

« Re: unlikely integer overflow in gzsig | Re: [Patch:] restore the native use of isdigit() instead of ap_isdigit() in httpd. »

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Posting Rules
You may not post new threads You may not post replies You may not post attachments You may not edit your posts vB code is On Smilies are On [IMG] code is On HTML code is Off Trackbacks are On Pingbacks are On Refbacks are On

Forum Jump

All times are GMT. The time now is 05:17 AM.

SEO

Re: unlikely integer overflow in gzsig