[gnutls-dev] gnutls-0.3.2 bugs

Marc Huber Marc.Huber@web.de
Thu Jan 17 10:59:01 2002


Trying to follow the instructions in src/README.srpcrypt I found that

- _gnutls_sbase64_encode() doesn't NUL-terminate strings smaller than
  4 byte, and probably does the wrong thing for longer strings (I
  haven't done any in-depth auditing on this, so I might be wrong.)

- _gnutls_get_random() tries to gnutls_free() a gcry_malloc()ed pointer

- crypt_int() tries to free() a gnutls_malloc()ed pointer

- read_conf_values(): _gnutls_sbase64_decode() doesn't allocate memory
  on failure, so gnutls_free() shouldn't be called.

Cheers,

Marc


diff -cr gnutls-0.3.2.original/lib/auth_srp_sb64.c gnutls-0.3.2/lib/auth_srp_sb64.c
*** gnutls-0.3.2.original/lib/auth_srp_sb64.c	Tue Jul 31 03:16:01 2001
--- gnutls-0.3.2/lib/auth_srp_sb64.c	Tue Jan 15 23:15:25 2002
***************
*** 144,150 ****
  
  	ret += (data_size * 4) / 3;
  
! 	(*result) = gnutls_malloc( ret + 1);
  	if ((*result) == NULL)
  		return -1;
  
--- 144,150 ----
  
  	ret += (data_size * 4) / 3;
  
! 	(*result) = gnutls_calloc(1, ret + 1);
  	if ((*result) == NULL)
  		return -1;
  
***************
*** 171,177 ****
  			return tmp;
  		}
  		memcpy(&(*result)[j], tmpres, tmp);
- 		(*result)[j+tmp] = 0;
  	}
  
  	return strlen(*result);
--- 171,176 ----
diff -cr gnutls-0.3.2.original/lib/gnutls_random.c gnutls-0.3.2/lib/gnutls_random.c
*** gnutls-0.3.2.original/lib/gnutls_random.c	Sun Dec 23 14:18:39 2001
--- gnutls-0.3.2/lib/gnutls_random.c	Tue Jan 15 23:03:33 2002
***************
*** 75,81 ****
      }
  
      memcpy( res, buf, bytes);
!     gnutls_free(buf);
      
      return 0;
  #endif
--- 75,81 ----
      }
  
      memcpy( res, buf, bytes);
!     gcry_free(buf);
      
      return 0;
  #endif
diff -cr gnutls-0.3.2.original/src/crypt.c gnutls-0.3.2/src/crypt.c
*** gnutls-0.3.2.original/src/crypt.c	Sun Dec 23 14:19:00 2001
--- gnutls-0.3.2/src/crypt.c	Wed Jan 16 00:17:17 2002
***************
*** 380,386 ****
  		if (put==0) {
  			fprintf(fd, "%s:%s:%u\n", username, cr, iindex);
  		}
! 		free(cr);
  		
  		fclose(fd);
  		fclose(fd2);
--- 380,386 ----
  		if (put==0) {
  			fprintf(fd, "%s:%s:%u\n", username, cr, iindex);
  		}
! 		gnutls_free(cr);
  		
  		fclose(fd);
  		fclose(fd2);
***************
*** 422,428 ****
  	tmp_size = _gnutls_sbase64_decode(p, len, &tmp);
  
  	if (tmp_size < 0) {
- 		gnutls_free(tmp);
  		return -1;
  	}
  	if (gcry_mpi_scan(g, GCRYMPI_FMT_USG, tmp, &tmp_size)) {
--- 422,427 ----