[gnutls-devel] GnuTLS | lib/file.c gnutls_load_file() does not include trailing '\0' if malloc != gnutls_malloc (#1006)

[Development of GNU's TLS library]

Glenn Strauss created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1006



lib/file.c `gnutls_load_file()` does not include trailing `'\0'` if `malloc != gnutls_malloc` and does not check if `gnutls_malloc()` fails.

```
--- a/lib/file.c
+++ b/lib/file.c
@@ -60,11 +60,14 @@ int gnutls_load_file(const char *filename, gnutls_datum_t * data)
                return GNUTLS_E_FILE_ERROR;
 
        if (malloc != gnutls_malloc) {
-               void *tmp = gnutls_malloc(len);
-
-               memcpy(tmp, data->data, len);
+               void *tmp = gnutls_malloc(len+1);
+               if (tmp)
+                       memcpy(tmp, data->data, len+1);
+               zeroize_key(data->data, len);
                free(data->data);
                data->data = tmp;
+               if (tmp == NULL)
+                       return GNUTLS_E_FILE_ERROR;
        }
 
        data->size = len;
```

Note: `gnutls_load_file()` also does not check that (size_t) len < UINT_MAX before assigning len in `data->size = len;` (fix not included above)

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1006
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200530/9ff90b18/attachment.html>