[sr #107527] Use of dangerous/banned functions (Analysis)
Tomas Hoger
INVALID.NOREPLY at gnu.org
Fri Nov 19 09:50:12 CET 2010
Follow-up Comment #2, sr #107527 (project gnutls):
> This SR will analyze the code around a cluster of calls to
> strcpy in serv.c. The lines of interest in peer_print_info
> (from the SR $107525 audit) are:
>
> 451: size_t len = 5 * 1024 + strlen (header);
> 457: http_buffer = malloc (len);
> ...
>
> 461: strcpy (http_buffer, HTTP_BEGIN);
> 462: strcpy (&http_buffer[sizeof (HTTP_BEGIN) - 1], DEFAULT_DATA);
> 463: strcpy (&http_buffer[sizeof (HTTP_BEGIN) + sizeof (DEFAULT_DATA) - 2],
HTTP_END);
> 465: *ret_length = sizeof (DEFAULT_DATA) + sizeof (HTTP_BEGIN) + sizeof
(HTTP_END) - 3;
This code block copies 3 hard-coded strings with total length of ~330
characters to buffer that has at least 5*1024 bytes.
> From the Open Group Base Specifications for strlen(), it
> appears no constraints are placed on the string 's' and no
> errors are defined for the function, which implies all
> arguments - including NULL - are acceptable. Yet a test
> program faults on GNU Linux with a NULL argument:
Right, so you can crash your test program by doing strlen(NULL). You can
check get_response() to see if peer_print_info() can ever be called with NULL
header.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?107527>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
More information about the Gnutls-devel
mailing list