<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en" style='--code-editor-font: var(--default-mono-font, "GitLab Mono"), JetBrains Mono, Menlo, DejaVu Sans Mono, Liberation Mono, Consolas, Ubuntu Mono, Courier New, andale mono, lucida console, monospace;'>

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style data-premailer="ignore" type="text/css">

a { color: #1068bf; }

</style>

<style>img {

max-width: 100%; height: auto;

}

body {

font-size: .875rem;

}

body {

-webkit-text-shadow: rgba(255,255,255,.01) 0 0 1px;

}

body {

font-family: "GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"; font-size: inherit;

}

</style>

</head>

<body style='font-size: inherit; -webkit-text-shadow: rgba(255,255,255,.01) 0 0 1px; font-family: "GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";'>

<div class="content">

<p class="details" style="font-style: italic; color: #737278;">

<a href="https://gitlab.com/d.meliksetyan">David Meliksetyan</a> created an issue: <a href="https://gitlab.com/gnutls/gnutls/-/issues/1578">#1578</a>

</p>

<div class="md" style="position: relative; z-index: 1; color: #28272d; word-wrap: break-word;">

<h2 dir="auto" style="font-size: 1.5em; font-weight: 600; padding-bottom: .3em; border-bottom-width: 1px; border-bottom-color: #bfbfc3; border-bottom-style: solid; color: #28272d; margin: 0 0 16px;" align="initial">

<a href="#potential-problem" aria-hidden="true" class="anchor" id="user-content-potential-problem" style="margin-top: 0; float: left; margin-left: -20px; text-decoration: none; outline: none;"></a>Potential problem</h2>

<p dir="auto" style="color: #28272d; margin: 0 0 16px;" align="initial">In <strong style="font-weight: 600; margin-top: 0;">/src/benchmark-tls.c</strong> the value <code style='font-size: 90%; color: #18171d; word-wrap: break-word; background-color: #ececef; border-radius: .25rem; font-weight: inherit; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; vertical-align: bottom; white-space: pre-wrap; overflow-wrap: break-word; word-break: keep-all; padding: 2px 4px;'>total_diffs_size</code> is used as an index when accessing an element of array <code style='font-size: 90%; color: #18171d; word-wrap: break-word; background-color: #ececef; border-radius: .25rem; font-weight: inherit; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; vertical-align: bottom; white-space: pre-wrap; overflow-wrap: break-word; word-break: keep-all; padding: 2px 4px;'>total_diffs</code>, which size is 32768. <a href="https://gitlab.com/gnutls/gnutls/-/blob/3.8.3/src/benchmark-tls.c#L568">https://gitlab.com/gnutls/gnutls/-/blob/3.8.3/src/benchmark-tls.c#L568</a>

At the same time we check, that the index value is not greater than 32768, but the problem is, that we do so after accessing an array element. <a href="https://gitlab.com/gnutls/gnutls/-/blob/3.8.3/src/benchmark-tls.c#L570-572">https://gitlab.com/gnutls/gnutls/-/blob/3.8.3/src/benchmark-tls.c#L570-572</a>

This means that a situation may arise in which the index value will be equal to 32768, and the program will not have time to react, and we will try to access outside the array, which can lead to unpredictable results.</p>

<h2 dir="auto" style="font-size: 1.5em; font-weight: 600; padding-bottom: .3em; border-bottom-width: 1px; border-bottom-color: #bfbfc3; border-bottom-style: solid; color: #28272d; margin: 24px 0 16px;" align="initial">

<a href="#possible-solution" aria-hidden="true" class="anchor" id="user-content-possible-solution" style="margin-top: 0; float: left; margin-left: -20px; text-decoration: none; outline: none;"></a>Possible solution</h2>

<p dir="auto" style="color: #28272d; margin: 0 0 16px;" align="initial">Given that in your implementation of the code, the index value is incremented by 1 immediately after accessing the array, the problem can be solved by simply adding one character to the conditional test statement:

<code style='font-size: 90%; color: #18171d; word-wrap: break-word; background-color: #ececef; border-radius: .25rem; margin-top: 0; font-weight: inherit; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; vertical-align: bottom; white-space: pre-wrap; overflow-wrap: break-word; word-break: keep-all; padding: 2px 4px;'>if (total_diffs_size >= sizeof(total_diffs) / sizeof(total_diffs[0]))</code>

In that case maximum allowed value of <code style='font-size: 90%; color: #18171d; word-wrap: break-word; background-color: #ececef; border-radius: .25rem; font-weight: inherit; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; vertical-align: bottom; white-space: pre-wrap; overflow-wrap: break-word; word-break: keep-all; padding: 2px 4px;'>total_diffs_size</code> will be 32767.</p>

<p dir="auto" style="color: #28272d; margin: 0 0 16px;" align="initial">Found by Linux Verification Center (portal.linuxtesting.ru) with SVACE.</p>

<p dir="auto" style="color: #28272d; margin: 0;" align="initial">Author D. Meliksetyan.</p>

</div>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #737278;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1578">view it on GitLab</a>.

<br>

You're receiving this email because of your account on <a target="_blank" rel="noopener noreferrer" href="https://gitlab.com">gitlab.com</a>. <a href="https://gitlab.com/-/sent_notifications/0ccfdd8983fea62df0a0e8649b8077e1/unsubscribe" target="_blank" rel="noopener noreferrer">Unsubscribe</a> from this thread · <a href="https://gitlab.com/-/profile/notifications" target="_blank" rel="noopener noreferrer" class="mng-notif-link">Manage all notifications</a> · <a href="https://gitlab.com/help" target="_blank" rel="noopener noreferrer" class="help-link">Help</a>

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1578"}}</script>

</p>

</div>

</body>

</html>