Bug#773470: marked as done (Fwd: off-by-one)

Debian Bug Tracking System Fri, 19 Dec 2014 15:04:00 -0800

Your message dated Fri, 19 Dec 2014 17:59:51 -0500
with message-id <[email protected]>
and subject line Re: [Pkg-gnupg-maint] Bug#773470: Fwd: off-by-one
has caused the Debian Bug report #773470,
regarding Fwd: off-by-one
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
773470: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773470
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: gnupg2
Version: 2.1.1
Severity: normal


Hi,

On line 1242 of app-nks.c, 'xtrymalloc' is called with 'datalen', which is 
calculated using "size_t datalen = oldpinlen + newpinlen"
This does not account for the null-bytes, and may cause either a buffer 
overflow, or other problems down the line.


Thanks,

-- 
-- Joshua Rogers <https://internot.info/>

--- End Message ---

--- Begin Message ---

Control: notfound 773470 2.1.1

On Thu 2014-12-18 13:32:24 -0500, Joshua Rogers wrote:
> Package: gnupg2
> Version: 2.1.1
>
> On line 1242 of app-nks.c, 'xtrymalloc' is called with 'datalen',
> which is calculated using "size_t datalen = oldpinlen + newpinlen"

The code you're talking about is here (in scd/app-nks.c):

  1237    if ((flags & APP_CHANGE_FLAG_RESET))
  1238      {
  1239        char *data;
  1240        size_t datalen = oldpinlen + newpinlen;
  1241  
  1242        data = xtrymalloc (datalen);
  1243        if (!data)
  1244          {
  1245            err = gpg_error_from_syserror ();
  1246            goto leave;
  1247          }
  1248        memcpy (data, oldpin, oldpinlen);
  1249        memcpy (data+oldpinlen, newpin, newpinlen);
  1250        err = iso7816_reset_retry_counter_with_rc (app->slot, pwid,
  1251                                                   data, datalen);
  1252        wipememory (data, datalen);
  1253        xfree (data);
  1254      }

> This does not account for the null-bytes, and may cause either a
> buffer overflow, or other problems down the line.

The only place where data is used is with memcpy() and
iso7816_reset_retry_counter_with_rc() and wipememory().

In these invocations, the data buffer is passed with an appropriate size
value -- it is not used as a null-terminated string.

I'm closing this report because it is not a bug.

    --dkg

signature.asc
Description: PGP signature

--- End Message ---

Bug#773470: marked as done (Fwd: off-by-one)

Reply via email to