[gnutls-devel] GnuTLS | Overflow at benchmark-tls.c (gnutls version - 3.8.3) (#1578)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Thu Sep 12 20:24:16 CEST 2024



David Meliksetyan created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1578



## Potential problem
In **/src/benchmark-tls.c** the value `total_diffs_size` is used as an index when accessing an element of array `total_diffs`, which size is 32768. https://gitlab.com/gnutls/gnutls/-/blob/3.8.3/src/benchmark-tls.c#L568 
At the same time we check, that the index value is not greater than 32768, but the problem is, that we do so after accessing an array element. https://gitlab.com/gnutls/gnutls/-/blob/3.8.3/src/benchmark-tls.c#L570-572
This means that a situation may arise in which the index value will be equal to 32768, and the program will not have time to react, and we will try to access outside the array, which can lead to unpredictable results.

## Possible solution
Given that in your implementation of the code, the index value is incremented by 1 immediately after accessing the array, the problem can be solved by simply adding one character to the conditional test statement:
`if (total_diffs_size >= sizeof(total_diffs) / sizeof(total_diffs[0]))`
In that case maximum allowed value of `total_diffs_size` will be 32767.

Found by Linux Verification Center (portal.linuxtesting.ru) with SVACE.

Author D. Meliksetyan.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1578
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20240912/2bb203b5/attachment.html>


More information about the Gnutls-devel mailing list