[sane-devel] possible bin_w_string security issue (not)
Fri, 15 Oct 2004 15:47:06 +0200
I was going to write a mail without the "(not)" but then discovered that
this issue is actually a non-issue, but this is totally non-obvious.
Would you know off-hand why?
bin_w_string contains the following code:
if (w->direction =3D=3D WIRE_DECODE)
if (len =3D=3D 0)
*s =3D 0;
else if (w->status =3D=3D 0)
*(*s + len - 1) =3D '\0';
If I interpret the code correctly, this could be used to bring the
server (running the binary protocol) into an invalid state:
1) send any kind of request that requires a string option at the end,
for example SANE_NET_AUTHORIZE
2) tell the server that the length is 10 or so
3) send 9 bytes and close the connection
The server will react to this in the following way (if I interpret the
* during sanei_w_array it will notice that the status is
bad and return
* bin_w_string will not(!) zero-terminate the string
(because it is assuming that *s is not valid, while
it actually is)
sanei_w_array doesn't clear the array if anything
item fails to read.
* now, the server has a password string that is not zero terminated,
and strcpy()s that string accessing memory beyond the allocated size.
[Actually, I discovered this while I was documenting the wire protocol.
I think it is overly complex and the code badly structured, the wire's
direction thing is really strange!]
Ok, so here's the solution:
The server does
signal (SIGPIPE, quit);
(which I think is actually another bug, why should sane_close,
sane_exit, sanei_w_exit and lots of other functions be async signal
Still, this is that non-obvious that someone writing a server (or
client, which could then be attacked by a malevolent server) with the
sanei library functions could easily oversee this detail, ignore SIGPIPE
or use sockets that don't raise it.
Therefore I'm still sending this mail in hope that someone fixes the
sanei_w_array function to check for status !=3D 0 and clean up after
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Comment: Johannes Berg (SIP Solutions)
-----END PGP SIGNATURE-----