[Pkg-gnupg-maint] Bug#773470: Bug#773470: Fwd: off-by-one

[Daniel Kahn Gillmor]

Control: notfound 773470 2.1.1

On Thu 2014-12-18 13:32:24 -0500, Joshua Rogers wrote:
> Package: gnupg2
> Version: 2.1.1
>
> On line 1242 of app-nks.c, 'xtrymalloc' is called with 'datalen',
> which is calculated using "size_t datalen = oldpinlen + newpinlen"

The code you're talking about is here (in scd/app-nks.c):

  1237	  if ((flags & APP_CHANGE_FLAG_RESET))
  1238	    {
  1239	      char *data;
  1240	      size_t datalen = oldpinlen + newpinlen;
  1241	
  1242	      data = xtrymalloc (datalen);
  1243	      if (!data)
  1244	        {
  1245	          err = gpg_error_from_syserror ();
  1246	          goto leave;
  1247	        }
  1248	      memcpy (data, oldpin, oldpinlen);
  1249	      memcpy (data+oldpinlen, newpin, newpinlen);
  1250	      err = iso7816_reset_retry_counter_with_rc (app->slot, pwid,
  1251	                                                 data, datalen);
  1252	      wipememory (data, datalen);
  1253	      xfree (data);
  1254	    }

> This does not account for the null-bytes, and may cause either a
> buffer overflow, or other problems down the line.

The only place where data is used is with memcpy() and
iso7816_reset_retry_counter_with_rc() and wipememory().

In these invocations, the data buffer is passed with an appropriate size
value -- it is not used as a null-terminated string.

I'm closing this report because it is not a bug.

    --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20141219/5ab6952b/attachment.sig>