[gnutls-devel] GnuTLS | Check truncation of snprintf() (#901)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Tue Jan 7 17:12:16 CET 2020



Tim Rühsen created an issue: https://gitlab.com/gnutls/gnutls/issues/901



It is possible that a truncation remains unnoticed and we continue working with truncated strings (filenames ?)... IMO not a good thing to do.

>From Jeffrey Walton:
```
FYI...

On Sun, Dec 22, 2019 at 11:25 AM Jeffrey Walton <noloader at gmail.com> wrote:
>
> Hi Everyone,
>
> I'm catching a dirty compile with GnuTLS 3.6.11.1 on Fedora 31.
>
> ...
> dn.c: In function 'append_elements':
> dn.c:83:9: warning: '.?' directive output may be truncated writing 2
> bytes into a region of size between 1 and 192 [-Wformat-truncation=]
>    83 |      "%s.?%u", tmpbuffer1, k2);
>       |         ^~
> dn.c:83:6: note: directive argument in the range [1, 2147483647]
>    83 |      "%s.?%u", tmpbuffer1, k2);
>       |      ^~~~~~~~
> dn.c:82:4: note: 'snprintf' output between 4 and 204 bytes into a
> destination of size 192
>    82 |    snprintf(tmpbuffer2, sizeof(tmpbuffer2),
>       |    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>    83 |      "%s.?%u", tmpbuffer1, k2);
>       |      ~~~~~~~~~~~~~~~~~~~~~~~~~
> libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I../.. -I./../../gl
> -I./../../gl -I./../includes -I./../includes -I./..
> -I/usr/local/include -DNDEBUG -Wtype-limits -fno-common -Wall
> -I/usr/local/include -I/usr/local/include
> -I/usr/local/include/p11-kit-1 -g2 -O2 -march=native -fPIC -pthread
> -MT prov-seed.lo -MD -MP -MF .deps/prov-seed.Tpo -c prov-seed.c  -fPIC
> -DPIC -o .libs/prov-seed.o
> dn.c: In function '_gnutls_x509_parse_dn_oid':
> dn.c:368:10: warning: '.?' directive output may be truncated writing 2
> bytes into a region of size between 1 and 192 [-Wformat-truncation=]
>   368 |       "%s.?%u", tmpbuffer1, k2);
>       |          ^~
> dn.c:368:7: note: directive argument in the range [1, 2147483647]
>   368 |       "%s.?%u", tmpbuffer1, k2);
>       |       ^~~~~~~~
> dn.c:367:5: note: 'snprintf' output between 4 and 204 bytes into a
> destination of size 192
>   367 |     snprintf(tmpbuffer2, sizeof(tmpbuffer2),
>       |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>   368 |       "%s.?%u", tmpbuffer1, k2);
>       |       ~~~~~~~~~~~~~~~~~~~~~~~~~
> attributes.c: In function '_x509_parse_attribute':
> attributes.c:138:9: warning: '.values.?' directive output may be
> truncated writing 9 bytes into a region of size between 1 and 192
> [-Wformat-truncation=]
>   138 |      "%s.values.?%u", tmpbuffer1, indx + 1);
>       |         ^~~~~~~~~
> attributes.c:138:6: note: using the range [0, 4294967295] for directive argument
>   138 |      "%s.values.?%u", tmpbuffer1, indx + 1);
>       |      ^~~~~~~~~~~~~~~
> attributes.c:137:4: note: 'snprintf' output between 11 and 211 bytes
> into a destination of size 192
>   137 |    snprintf(tmpbuffer3, sizeof(tmpbuffer3),
>       |    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>   138 |      "%s.values.?%u", tmpbuffer1, indx + 1);
>       |      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> dn.c: In function '_gnutls_x509_get_dn_oid':
> dn.c:528:10: warning: '.?' directive output may be truncated writing 2
> bytes into a region of size between 1 and 192 [-Wformat-truncation=]
>   528 |       "%s.?%u", tmpbuffer1, k2);
>       |          ^~
> dn.c:528:7: note: directive argument in the range [1, 2147483647]
>   528 |       "%s.?%u", tmpbuffer1, k2);
>       |       ^~~~~~~~
> dn.c:527:5: note: 'snprintf' output between 4 and 204 bytes into a
> destination of size 192
>   527 |     snprintf(tmpbuffer2, sizeof(tmpbuffer2),
>       |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>   528 |       "%s.?%u", tmpbuffer1, k2);
>       |       ~~~~~~~~~~~~~~~~~~~~~~~~~
>
> ...
> extensions.c: In function '_gnutls_write_new_othername':
> extensions.c:803:36: warning: '.otherName.type-id' directive output
> may be truncated writing 18 bytes into a region of size between 1 and
> 128 [-Wformat-truncation=]
>   803 |  snprintf(name2, sizeof(name2), "%s.otherName.type-id", name);
>       |                                    ^~~~~~~~~~~~~~~~~~
> extensions.c:803:2: note: 'snprintf' output between 19 and 146 bytes
> into a destination of size 128
>   803 |  snprintf(name2, sizeof(name2), "%s.otherName.type-id", name);
>       |  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> extensions.c:812:36: warning: '.otherName.value' directive output may
> be truncated writing 16 bytes into a region of size between 1 and 128
> [-Wformat-truncation=]
>   812 |  snprintf(name2, sizeof(name2), "%s.otherName.value", name);
>       |                                    ^~~~~~~~~~~~~~~~
> extensions.c:812:2: note: 'snprintf' output between 17 and 144 bytes
> into a destination of size 128
>   812 |  snprintf(name2, sizeof(name2), "%s.otherName.value", name);
>
> ...
> verify-high2.c: In function 'load_dir_certs':
> verify-high2.c:407:40: warning: 'snprintf' output may be truncated
> before the last format character [-Wformat-truncation=]
>   407 |     snprintf(path, sizeof(path), "%s/%s",
>       |                                        ^
> verify-high2.c:407:5: note: 'snprintf' output 2 or more bytes
> (assuming 257) into a destination of size 256
>   407 |     snprintf(path, sizeof(path), "%s/%s",
>       |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>   408 |       dirname, d->d_name);
>       |       ~~~~~~~~~~~~~~~~~~~
```

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/901
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200107/3cae20c9/attachment.html>


More information about the Gnutls-devel mailing list