[sane-devel] Bug#854804: saned: SANE_NET_CONTROL_OPTION response packet may contain memory contents of the server

Jörg Frings-Fürst debian at jff-webhosting.net
Sun Feb 12 07:43:23 UTC 2017 

severity 854804 important
tags 854804 + moreinfo - security
thanks


Hello Kritphong,


Am Sonntag, den 12.02.2017, 00:16 +0700 schrieb Kritphong
Mongkhonvanit:
> tags 854804 - moreinfo
> thanks
> 
> On Sat, Feb 11, 2017 at 11:54 AM, Jörg Frings-Fürst <debian at jff-webhosting.net> wrote:
[...]
> > Am Freitag, den 10.02.2017, 10:33 -0500 schrieb Kritphong
> > Mongkhonvanit:
[...]
> >  Dear Maintainer,
> >  
> >  When saned received a SANE_NET_CONTROL_OPTION packet with value_type ==
> >  SANE_TYPE_STRING and value_size larger than the actual length of the
> >  requested string, the response packet from the server contains a string
> >  object as long as value_size in the request. The bytes following the
> >  actual string appears to contain memory contents from the server.
> >  
> > 
> > Please let me explain:
> > 
> > You have found one or more parts in the code where a string with an
> > incorrect value_size is transferred? Then please tell us where.
> 
> I found that the transferred string in the value field of SANE_NET_CONTROL_OPTION response packet  is always the same size as the one requested, even if the actual string is shorter. I assume that this is intentional since the string is NULL-terminated. However, the part beyond the NULL-terminator appears to be uninitialized memory from the server, which can potentially contain sensitive information. I have yet to locate where in SANE's source code this is happening, but I am able to see the uninitialized memory in Wireshark, which suggests that it actually comes from the server rather than from my machine.
> 
[...]

At a short code search I have found a point of use in net.c.

The authors are aware that the strings can be shorter than the
transferred size. You have written the appropriate code that ensures
that the strings only use the part until the final NULL.

Furthermore, before using the structure, it is overwritten with NULL.

At this point I don't see any security hole. So I set the severity to
important. In the future, I will close the bug, unless you create new
threats. 



CU 
Jörg


-- 
New:
GPG Fingerprint: 63E0 075F C8D4 3ABB 35AB  30EE 09F8 9F3C 8CA1 D25D
GPG key (long) : 09F89F3C8CA1D25D
GPG Key        : 8CA1D25D
CAcert Key S/N : 0E:D4:56

Old pgp Key: BE581B6E (revoked since 2014-12-31).

Jörg Frings-Fürst
D-54470 Lieser

Threema: SYR8SJXB

IRC: j_f-f at freenode.net
     j_f-f at oftc.net

My wish list: 
 - Please send me a picture from the nature at your home.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/sane-devel/attachments/20170212/e64a3d2e/attachment-0001.sig>

More information about the sane-devel mailing list