[sr #107527] Use of dangerous/banned functions (Analysis)

Tomas Hoger INVALID.NOREPLY at gnu.org
Fri Nov 19 09:50:12 CET 2010


Follow-up Comment #2, sr #107527 (project gnutls):

> This SR will analyze the code around a cluster of calls to
> strcpy in serv.c. The lines of interest in peer_print_info
> (from the SR $107525 audit) are:
>
> 451: size_t len = 5 * 1024 + strlen (header);
> 457: http_buffer = malloc (len);
> ...
> 
> 461: strcpy (http_buffer, HTTP_BEGIN);
> 462: strcpy (&http_buffer[sizeof (HTTP_BEGIN) - 1], DEFAULT_DATA);
> 463: strcpy (&http_buffer[sizeof (HTTP_BEGIN) + sizeof (DEFAULT_DATA) - 2],
HTTP_END);
> 465: *ret_length = sizeof (DEFAULT_DATA) + sizeof (HTTP_BEGIN) + sizeof
(HTTP_END) - 3;

This code block copies 3 hard-coded strings with total length of ~330
characters to buffer that has at least 5*1024 bytes.

> From the Open Group Base Specifications for strlen(), it
> appears no constraints are placed on the string 's' and no
> errors are defined for the function, which implies all
> arguments - including NULL - are acceptable. Yet a test
> program faults on GNU Linux with a NULL argument:

Right, so you can crash your test program by doing strlen(NULL).  You can
check get_response() to see if peer_print_info() can ever be called with NULL
header.

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?107527>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/





More information about the Gnutls-devel mailing list