[gnutls-devel] GnuTLS 3.2.15 SIGSEGV in _gnutls_buffer_append_data

Jaak Ristioja jaak.ristioja at cyber.ee
Tue Dec 16 17:28:56 CET 2014 

On 16.12.2014 16:33, Nikos Mavrogiannopoulos wrote:
> -faddress=sanitize is an alternative way to debug memory corruptions.

Using the sanitizers under certain Hardened Gentoo configurations is a
bit complicated. But I know I should.

> However, I tried your test case with 3.3.11 and there hasn't been any
> issue. Have you tried the latest gnutls versions?

I tried the *.c files I sent earlier with GnuTLS 3.3.10 and got the
INT32_MIN issue.

>>> The idea is to have a buffer where data can be appended easily and
>> quickly.
>> The code seems to contain a lot of complicated logic for something which
>> should be rather simple. I don't understand why all the memmove logic is
>> needed when appending to the buffer.
> 
> The buffer has the ability for quite consumption of its data (see
> buffer_pop_datum), but when appending to a buffer you most probably want
> to re-use any space that was consumed by buffer_pop_datum(). Said that,
> if you think there can be optimizations please suggest them.

Please correct me if I have misunderstood this. So the buffer is a FIFO
of bytes, which only reallocates the storage if full. The allocd field
points to the start of the (re)allocated memory, the data field points
to the data not yet popped, the max_length field is the size of the
allocation, and the length field is the size of the data still in the
buffer which has not yet been popped.

I just submitted a small set of patches to optimize the
_gnutls_buffer_append_data() function a little. Please note, however,
that there are still at least 3 potential problems in that function:

1) Setting tot_len may overflow the size_t destination type:
  size_t const tot_len = data_size + dest->length;

2) Setting new_len may overflow the size_t destination type:
  size_t const new_len =
    MAX(data_size, MIN_CHUNK) + MAX(dest->max_length,
                    MIN_CHUNK);

3) Returning unsigned tot_len (size_t) may overflow the return type
(signed int):
  return tot_len;

I think I'm getting one of these issues. Maybe there's something wrong
with gnutls_record_send that it keeps filling the buffer even when the
maximum record size has been reached?

Regards,
Jaak Ristioja
Cybernetica AS

More information about the Gnutls-devel mailing list