Possible buffer overflow on gnutls_session_get_data
nmav at gnutls.org
Tue Nov 8 13:49:14 CET 2011
On Tue, Nov 8, 2011 at 12:55 PM, Alban Crequy
<alban.crequy at collabora.co.uk> wrote:
> The gnutls_session_get_data function in the GnuTLS library before
> 3.0.6 or before 2.12.13 on the 2.12.x branch could overflow a
> too-short buffer parameter allocated by the caller. The test to avoid
> the buffer overflow was not working correctly.
> Often the code using the GnuTLS library calls gnutls_session_get_data()
> twice: the first time to get the buffer size and the second time with a
> buffer allocated to the correct size. In this code pattern, there is no
> buffer overflows.
Thank you for finding out this bug and reporting it. I'll point the
security advisory for this issue to your mail later this day. An
update to your note is that gnutls releases 2.12.14 and 3.0.7
correctly fix the issue.
More information about the Gnutls-devel