gnutls_calloc
Werner Koch
wk at gnupg.org
Wed Sep 17 13:09:38 CEST 2008
Hi,
A quick grep shows:
lib/auth_cert.c:
gnutls_calloc (1, sizeof (gnutls_datum_t) * ncerts);
lib/gnutls_cert.c:
*alg = gnutls_calloc (1, sizeof (gnutls_kx_algorithm_t) * i);
lib/gnutls_session_pack.c:
gnutls_calloc (1, sizeof (gnutls_datum_t) * info->ncerts);
libextra/openssl_compat.c:
gnutls_calloc (1, ca_certificate_list_size * sizeof (gnutls_x509_crt_t));
libextra/openssl_compat.c:
crl_list = gnutls_calloc (1, crl_list_size * sizeof (gnutls_x509_crl_t));
Thus even with a correct gnutls_calloc, it is still vulernable to
integer overflows. The above code (there might be more of this) needs
to be changed to:
gnutls_calloc (ncerts, sizeof (gnutls_datum_t));
and so on.
Shalom-Salam,
Werner
--
Linux-Kongress 2008 + Hamburg + October 7-10 + www.linux-kongress.org
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
More information about the Gnutls-devel
mailing list