[PINENTRY PATCH] gnome3: Avoid risk of uinitialized memory access.
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sat Nov 5 22:53:47 CET 2016
* gnome3/pinentry-gnome3.c (_propagate_g_error_to_pinentry): Ensure
that pinentry->specific_err_info is null-terminated.
--
It's possible that "%d: %s" ends up producing more than 20 additional
characters. A 64-bit signed int at its minimum is
"-9223372036854775808", which is 20 characters. On any platform where
gint is 128-bit (i don't know whether they exist), it could be
significantly more.
snprintf doesn't write the final NUL byte if the string exceeds the
buffer, so anyone reading specific_err_info as a NUL-terminated string
in such a case would go on to read uninitialized memory after the
buffer. So we should force there to always be a NUL char after the
written buffer. It would be simpler to use asprintf, but i suspect
that's not portable enough for use in pinentry.
Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
---
gnome3/pinentry-gnome3.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/gnome3/pinentry-gnome3.c b/gnome3/pinentry-gnome3.c
index ba6ab46..b164ed0 100644
--- a/gnome3/pinentry-gnome3.c
+++ b/gnome3/pinentry-gnome3.c
@@ -93,13 +93,16 @@ static void
_propagate_g_error_to_pinentry (pinentry_t pe, GError *error,
gpg_err_code_t code, const char *loc)
{
- size_t infolen = strlen(error->message) + 20;
+ size_t infolen = strlen(error->message) + 24;
pe->specific_err = gpg_error (code);
- pe->specific_err_info = malloc (infolen);
+ pe->specific_err_info = malloc (infolen + 1);
if (pe->specific_err_info)
- snprintf (pe->specific_err_info, infolen,
- "%d: %s", error->code, error->message);
+ {
+ pe->specific_err_info[infolen] = '\0';
+ snprintf (pe->specific_err_info, infolen,
+ "%d: %s", error->code, error->message);
+ }
pe->specific_err_loc = loc;
}
--
2.10.1
More information about the Gnupg-devel
mailing list