automated cppcheck for gnupg
Leo Gaspard
ekleog at gmail.com
Wed Apr 16 14:14:16 CEST 2014
On Wed, Apr 16, 2014 at 02:04:30PM +0200, Werner Koch wrote:
> On Wed, 16 Apr 2014 12:41, ekleog at gmail.com said:
>
> >> ctx = malloc (sizeof *ctx);
> >> if (!ctx)
> >> {
> >> trace_error (ctx->err_source)
> >> return NULL;
> >> }
>
> > Here, the argument to gpg_strsource (assuming the point of the mistake is the
> > one of the latest git commit on libassuan) would be attacker-controlled, as a
> > consequence the one to gpg_err_source. Doing no check, it means the
>
> No, the argument is not attacker controlled.
Well... Assuming the OS flaw from the first paragraph of my former answer, it
would be, as it is a NULL deref that is mapped to a page chosen by the attacker
(so long as the needed page can be found in the kernel pages, but there are a
lot of kernel pages)
More information about the Gnupg-devel
mailing list