stringprep() doesn't match documentation

help-libidn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

stringprep() doesn't match documentation

From:	Thijs Alkemade
Subject:	stringprep() doesn't match documentation
Date:	Wed, 22 Oct 2014 19:28:50 +0200

Hi,

The documentation for the stringprep() function states:

"[I]ndicate how large the buffer holding the string is. This function will not
_read_ or write to characters outside that size."

Looking at the source, this is clearly not true: the maxlen argument to
stringprep() is only used at the end to check whether the resulting string
fits in the buffer. The stringprep_utf8_to_ucs4() call is not restricted to
stay within any limits.

This means that, if an attacker is able to inject invalid UTF-8 into the input
buffer used for stringprep(), the lack of error checking by
stringprep_utf8_to_ucs4() can be used to skip over the actual terminating
NULL-byte, causing he stringprep call to read memory past the buffer it was
supposed to not read outside of. Sure, this is the application's fault for not
properly veryfing the input is UTF-8, but the mismatch between the
documentation and the function makes this worse.

Best regards,
Thijs Alkemade

signature.asc
Description: Message signed with OpenPGP using GPGMail

[Prev in Thread]

Current Thread

[Next in Thread]

stringprep() doesn't match documentation, Thijs Alkemade <=

Prev by Date: libidn2-0 0.10-2 MIGRATED to testing
Previous by thread: libidn2-0 0.10-2 MIGRATED to testing
Index(es):
- Date
- Thread