[Pkg-privacy-commits] [libotr] 13/20: Prevent integer overflow on 64-bit architectures when receiving 4GB messages
Intrigeri
intrigeri at moszumanska.debian.org
Thu Mar 10 09:25:58 UTC 2016
This is an automated email from the git hooks/post-receive script.
intrigeri pushed a commit to annotated tag 4.1.1
in repository libotr.
commit ecfd4f468690af6e66b5bf92315972b86071ac1c
Author: Ian Goldberg <iang at cs.uwaterloo.ca>
Date: Thu Mar 3 13:32:41 2016 +0100
Prevent integer overflow on 64-bit architectures when receiving 4GB messages
In several places in proto.c, the sizes of portions of incoming messages
were stored in variables of type int or unsigned int instead of size_t.
If a message arrives with very large sizes (for example unsigned int
datalen = UINT_MAX), then constructions like malloc(datalen+1) will turn
into malloc(0), which on some architectures returns a non-NULL pointer,
but UINT_MAX bytes will get written to that pointer.
Ensure all calls to malloc or realloc cannot integer overflow like this.
Thanks to Markus Vervier of X41 D-Sec GmbH <markus.vervier at x41-dsec.de>
for the report.
Signed-off-by: Ian Goldberg <iang at cs.uwaterloo.ca>
Signed-off-by: David Goulet <dgoulet at ev0ke.net>
---
src/proto.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/proto.c b/src/proto.c
index 1050620..1dd3533 100644
--- a/src/proto.c
+++ b/src/proto.c
@@ -715,7 +715,7 @@ gcry_error_t otrl_proto_accept_data(char **plaintextp, OtrlTLV **tlvsp,
unsigned int sender_keyid, recipient_keyid;
gcry_mpi_t sender_next_y = NULL;
unsigned char ctr[8];
- unsigned int datalen, reveallen;
+ size_t datalen, reveallen;
unsigned char *data = NULL;
unsigned char *nul = NULL;
unsigned char givenmac[20];
@@ -916,7 +916,7 @@ OtrlFragmentResult otrl_proto_fragment_accumulate(char **unfragmessagep,
if (k > 0 && n > 0 && k <= n && start > 0 && end > 0 && start < end) {
if (k == 1) {
- int fraglen = end - start - 1;
+ size_t fraglen = end - start - 1;
size_t newsize = fraglen + 1;
free(context->context_priv->fragment);
context->context_priv->fragment = NULL;
@@ -937,7 +937,7 @@ OtrlFragmentResult otrl_proto_fragment_accumulate(char **unfragmessagep,
}
} else if (n == context->context_priv->fragment_n &&
k == context->context_priv->fragment_k + 1) {
- int fraglen = end - start - 1;
+ size_t fraglen = end - start - 1;
char *newfrag = NULL;
size_t newsize = context->context_priv->fragment_len + fraglen + 1;
/* Check for overflow */
@@ -989,10 +989,10 @@ gcry_error_t otrl_proto_fragment_create(int mms, int fragment_count,
char ***fragments, ConnContext *context, const char *message)
{
char *fragdata;
- int fragdatalen = 0;
+ size_t fragdatalen = 0;
int curfrag = 0;
- int index = 0;
- int msglen = strlen(message);
+ size_t index = 0;
+ size_t msglen = strlen(message);
/* Should vary by number of msgs */
int headerlen = context->protocol_version == 3 ? 37 : 19;
@@ -1012,7 +1012,7 @@ gcry_error_t otrl_proto_fragment_create(int mms, int fragment_count,
int i;
char *fragmentmsg;
- if (msglen - index < mms - headerlen) {
+ if (msglen - index < (size_t)(mms - headerlen)) {
fragdatalen = msglen - index;
} else {
fragdatalen = mms - headerlen;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/libotr.git
More information about the Pkg-privacy-commits
mailing list