diff options
author | ulfvonbelow <strilen@tilde.club> | 2023-01-29 05:15:30 -0600 |
---|---|---|
committer | Martin Schanzenbach <schanzen@gnunet.org> | 2023-02-06 13:31:16 +0900 |
commit | 3b5473735cb495ca50139adeb27e5135accaa22d (patch) | |
tree | 8e2b3076fcd2d7a104f1243af386e2f0146b9a18 | |
parent | 1505f2f06b2d7f260811efee6597f725e4595e6c (diff) | |
download | gnunet-3b5473735cb495ca50139adeb27e5135accaa22d.tar.gz gnunet-3b5473735cb495ca50139adeb27e5135accaa22d.zip |
UTIL: fix one-byte buffer over-reads.
GNUNET_CRYPTO_hash_from_string2 uses enclen as the length of its buffer that
it passes to GNUNET_STRINGS_utf8_toupper, but GNUNET_STRINGS_utf8_toupper adds
a null terminator, so it should be enclen+1.
GNUNET_CRYPTO_crc16_step reads 1 byte past the end of the buffer passed to
it. It masks out that byte in computing the result, but it's still technically
an overread and could in extremely-rare circumstances cause a segmentation or
access fault. It also upsets sanitizers, preventing other bugs from being found.
Signed-off-by: Martin Schanzenbach <schanzen@gnunet.org>
-rw-r--r-- | src/util/crypto_crc.c | 2 | ||||
-rw-r--r-- | src/util/crypto_hash.c | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/src/util/crypto_crc.c b/src/util/crypto_crc.c index 9328f2b84..f93b5b0b3 100644 --- a/src/util/crypto_crc.c +++ b/src/util/crypto_crc.c | |||
@@ -114,7 +114,7 @@ GNUNET_CRYPTO_crc16_step (uint32_t sum, const void *buf, size_t len) | |||
114 | for (; len >= 2; len -= 2) | 114 | for (; len >= 2; len -= 2) |
115 | sum += *(hdr++); | 115 | sum += *(hdr++); |
116 | if (len == 1) | 116 | if (len == 1) |
117 | sum += (*hdr) & ntohs (0xFF00); | 117 | sum += ntohs(*((uint8_t *)hdr) << 8); |
118 | return sum; | 118 | return sum; |
119 | } | 119 | } |
120 | 120 | ||
diff --git a/src/util/crypto_hash.c b/src/util/crypto_hash.c index e45cb42e0..95c5c3480 100644 --- a/src/util/crypto_hash.c +++ b/src/util/crypto_hash.c | |||
@@ -73,7 +73,7 @@ GNUNET_CRYPTO_hash_from_string2 (const char *enc, | |||
73 | size_t enclen, | 73 | size_t enclen, |
74 | struct GNUNET_HashCode *result) | 74 | struct GNUNET_HashCode *result) |
75 | { | 75 | { |
76 | char upper_enc[enclen]; | 76 | char upper_enc[enclen+1]; |
77 | char *up_ptr = upper_enc; | 77 | char *up_ptr = upper_enc; |
78 | 78 | ||
79 | if (GNUNET_OK != GNUNET_STRINGS_utf8_toupper (enc, up_ptr)) | 79 | if (GNUNET_OK != GNUNET_STRINGS_utf8_toupper (enc, up_ptr)) |