[PINENTRY PATCH] gnome3: Avoid risk of uinitialized memory access.

Neal H. Walfield neal at walfield.org
Mon Nov 7 01:28:09 CET 2016


I changed the code to use g_strdup_printf to do the actual formatting.
Then, there is no possibility of a buffer overflow.

Thanks!

:) Neal

At Sat,  5 Nov 2016 17:53:47 -0400,
Daniel Kahn Gillmor wrote:
> 
> * gnome3/pinentry-gnome3.c (_propagate_g_error_to_pinentry): Ensure
> that pinentry->specific_err_info is null-terminated.
> 
> --
> 
> It's possible that "%d: %s" ends up producing more than 20 additional
> characters.  A 64-bit signed int at its minimum is
> "-9223372036854775808", which is 20 characters.  On any platform where
> gint is 128-bit (i don't know whether they exist), it could be
> significantly more.
> 
> snprintf doesn't write the final NUL byte if the string exceeds the
> buffer, so anyone reading specific_err_info as a NUL-terminated string
> in such a case would go on to read uninitialized memory after the
> buffer.  So we should force there to always be a NUL char after the
> written buffer.  It would be simpler to use asprintf, but i suspect
> that's not portable enough for use in pinentry.
> 
> Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
> ---
>  gnome3/pinentry-gnome3.c | 11 +++++++----
>  1 file changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/gnome3/pinentry-gnome3.c b/gnome3/pinentry-gnome3.c
> index ba6ab46..b164ed0 100644
> --- a/gnome3/pinentry-gnome3.c
> +++ b/gnome3/pinentry-gnome3.c
> @@ -93,13 +93,16 @@ static void
>  _propagate_g_error_to_pinentry (pinentry_t pe, GError *error,
>                                  gpg_err_code_t code, const char *loc)
>  {
> -  size_t infolen = strlen(error->message) + 20;
> +  size_t infolen = strlen(error->message) + 24;
>  
>    pe->specific_err = gpg_error (code);
> -  pe->specific_err_info = malloc (infolen);
> +  pe->specific_err_info = malloc (infolen + 1);
>    if (pe->specific_err_info)
> -    snprintf (pe->specific_err_info, infolen,
> -              "%d: %s", error->code, error->message);
> +    {
> +      pe->specific_err_info[infolen] = '\0';
> +      snprintf (pe->specific_err_info, infolen,
> +                "%d: %s", error->code, error->message);
> +    }
>    pe->specific_err_loc = loc;
>  }
>  
> -- 
> 2.10.1
> 
> 
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel
> 



More information about the Gnupg-devel mailing list