aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorulfvonbelow <strilen@tilde.club>2023-01-29 05:15:30 -0600
committerMartin Schanzenbach <schanzen@gnunet.org>2023-02-06 13:31:16 +0900
commit3b5473735cb495ca50139adeb27e5135accaa22d (patch)
tree8e2b3076fcd2d7a104f1243af386e2f0146b9a18
parent1505f2f06b2d7f260811efee6597f725e4595e6c (diff)
downloadgnunet-3b5473735cb495ca50139adeb27e5135accaa22d.tar.gz
gnunet-3b5473735cb495ca50139adeb27e5135accaa22d.zip
UTIL: fix one-byte buffer over-reads.
GNUNET_CRYPTO_hash_from_string2 uses enclen as the length of its buffer that it passes to GNUNET_STRINGS_utf8_toupper, but GNUNET_STRINGS_utf8_toupper adds a null terminator, so it should be enclen+1. GNUNET_CRYPTO_crc16_step reads 1 byte past the end of the buffer passed to it. It masks out that byte in computing the result, but it's still technically an overread and could in extremely-rare circumstances cause a segmentation or access fault. It also upsets sanitizers, preventing other bugs from being found. Signed-off-by: Martin Schanzenbach <schanzen@gnunet.org>
-rw-r--r--src/util/crypto_crc.c2
-rw-r--r--src/util/crypto_hash.c2
2 files changed, 2 insertions, 2 deletions
diff --git a/src/util/crypto_crc.c b/src/util/crypto_crc.c
index 9328f2b84..f93b5b0b3 100644
--- a/src/util/crypto_crc.c
+++ b/src/util/crypto_crc.c
@@ -114,7 +114,7 @@ GNUNET_CRYPTO_crc16_step (uint32_t sum, const void *buf, size_t len)
114 for (; len >= 2; len -= 2) 114 for (; len >= 2; len -= 2)
115 sum += *(hdr++); 115 sum += *(hdr++);
116 if (len == 1) 116 if (len == 1)
117 sum += (*hdr) & ntohs (0xFF00); 117 sum += ntohs(*((uint8_t *)hdr) << 8);
118 return sum; 118 return sum;
119} 119}
120 120
diff --git a/src/util/crypto_hash.c b/src/util/crypto_hash.c
index e45cb42e0..95c5c3480 100644
--- a/src/util/crypto_hash.c
+++ b/src/util/crypto_hash.c
@@ -73,7 +73,7 @@ GNUNET_CRYPTO_hash_from_string2 (const char *enc,
73 size_t enclen, 73 size_t enclen,
74 struct GNUNET_HashCode *result) 74 struct GNUNET_HashCode *result)
75{ 75{
76 char upper_enc[enclen]; 76 char upper_enc[enclen+1];
77 char *up_ptr = upper_enc; 77 char *up_ptr = upper_enc;
78 78
79 if (GNUNET_OK != GNUNET_STRINGS_utf8_toupper (enc, up_ptr)) 79 if (GNUNET_OK != GNUNET_STRINGS_utf8_toupper (enc, up_ptr))