[gnutls-devel] GnuTLS | srptool:possible stack buffer overflow with large SRP groups (#1777)

[Read-only notification of GnuTLS library development activities]

Mikhail commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1777#note_2971424819


Thanks for the piece of advice, I rebuilded it with `CFLAGS="-O2 -D_FORTIFY_SOURCE=2"`and got:

```
~$ srptool --passwd-conf ~/tpasswd.conf --passwd ~/tpasswd --username testuser --index=7
Enter password: 
*** buffer overflow detected ***: terminated
Aborted (core dumped)
```

So overflow is confirmed. 

Also, then I tried to increase buffer size up to 2048 and rebuild it, after that overflow doesn't happen obviously, same as "Encoding error" doesn't reproduce anymore -- I don't know why it didn't work earlier for me.. Maybe I missed something.

Would it make sense to increse buffer size as I proposed it? Something like that, f.e.:

```
static char *_srp_crypt(const char *username, const char *passwd, int salt_size,
			const gnutls_datum_t *g, const gnutls_datum_t *n)
{
    unsigned char salt[128];
    static char result[2048];
    ...
    if (snprintf(result, sizeof(result), "%s:%s", 
   	        txt_verifier.data, txt_salt.data) >= sizeof(result)) {
   	    fprintf(stderr, "Unexpectedly large SRP verifier - buffer too small\n");
	    return NULL;
    }
    ...
```

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1777#note_2971424819
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20251223/a3299926/attachment-0001.html>