Fix an off-by-one reading passwords from a file. #79
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
One of our static checkers noticed the following:
Error: OVERRUN (CWE-119):
mokutil-0.6.0/src/mokutil.c:378: cond_at_least: Checking ""read_len < 300L"" implies that ""read_len"" is at least 300 on the false branch.
mokutil-0.6.0/src/mokutil.c:394: overrun-local: Overrunning array ""string"" of 300 bytes at byte offset 300 using index ""read_len"" (which evaluates to 300).
# 392| close (fd);
# 393|
# 394|-> if (string[read_len] != '\0') {
# 395| fprintf (stderr, ""corrupted string\n"");
# 396| return -1;
This is because the read loop limits itself to < BUF_SIZE, but the actual
read() call uses BUF_SIZE - read_len as the size, and then updates
read_len with the added number of characters:
while (read_len < BUF_SIZE) {
ssize_t rc = read (fd, string + read_len,
BUF_SIZE - read_len - 1);
...
read_len += rc;
}
This means it's asking for BUF_SIZE characters, and as a result read_len
can be adjusted to be BUF_SIZE, rather than BUF_SIZE - 1. The check for
the string terminator (for "corruption"...) then overflows the buffer.
This patch changes the read() size parameter to always be BUF_SIZE -
read_len - 1, so we'll never fill the last byte or adjust read_len to be
BUF_SIZE. It further removes the "corrupted sting" test, as that cannot
ever be the case.
Resolves: RHEL-27624
Signed-off-by: Peter Jones <pjones@redhat.com>
|
Thanks for patch! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
One of our static checkers noticed the following:
This is because the read loop limits itself to < BUF_SIZE, but the actual read() call uses BUF_SIZE - read_len as the size, and then updates read_len with the added number of characters:
This means it's asking for BUF_SIZE characters, and as a result read_len can be adjusted to be BUF_SIZE, rather than BUF_SIZE - 1. The check for the string terminator (for "corruption"...) then overflows the buffer.
This patch changes the read() size parameter to always be BUF_SIZE - read_len - 1, so we'll never fill the last byte or adjust read_len to be BUF_SIZE. It further removes the "corrupted sting" test, as that cannot ever be the case.
Resolves: RHEL-27624