#60 ✓resolved
teuf

[PATCH] potential memory corruption in calls to gnutls function on 64 bit arch

Reported by teuf | July 24th, 2009 @ 07:22 PM | in 1.0 Release

Looking at lockdown.c:

   / if everything went well, export in PEM format /
   gnutls_datum_t dev_pem = { NULL, 0 };
   gnutls_x509_crt_export(dev_cert, GNUTLS_X509_FMT_PEM, NULL, &dev_pem.size);
   dev_pem.data = gnutls_malloc(dev_pem.size);
   gnutls_x509_crt_export(dev_cert, GNUTLS_X509_FMT_PEM, dev_pem.data, &dev_pem.size);
On my box, gnutls_datum_t is:
   typedef struct
   {

   unsigned char *data;
   unsigned int size;



} gnutls_datum_t;
and gnutls_x509_crt_export has this prototype:
   int gnutls_x509_crt_export(gnutls_x509_crt_t cert,

                          gnutls_x509_crt_fmt_t format,
                          void  *output_data,
                          size_t *output_data_size);</code>



ints are 4 bytes long on x86_64/linux, size_t is 8 bytes long, so when passing &dev_pem.size to gnutls_x509_crt_export, the 4 bytes after &dev_pem.size might be written to. In this case, these 4 bytes are padding in the gnutls_datum_t, but I wouldn't rely on that.

The same issue is present in userpref.c. gcc complains about it when compiling with -Wall -Werror.

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

A project around supporting the iPhone in Linux.

See http://libimobiledevice.org

People watching this ticket

Attachments