Re: out of bounds stack access in idn tool

help-libidn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: out of bounds stack access in idn tool

From:	Simon Josefsson
Subject:	Re: out of bounds stack access in idn tool
Date:	Sun, 12 Jul 2015 17:20:04 +0200
User-agent:	Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)

Hanno Böck <address@hidden> writes:

> Hi,
>
> When passing the attacked file (libidn-oob-stack-read-main) to the idn
> command line tool this will cause an out of bounds stack access. This
> can be seen with either valgrind or by recompiling idn with address
> sanitizer. The input consists of a random character, a newline and a
> zero byte.
>
> The error happens in the function main in this code
>       if (readbuf[strlen (readbuf) - 1] == '\n')
>       readbuf[strlen (readbuf) - 1] = '\0';
>
> If readbuf is a zero byte string this won't work. I have attached a
> patch how to prevent this. Not sure if this is the best way, but it
> prevents the oob access.

Thank you for the report.  I believe idn should use getline instead of
this funky fixed-buffer fgets+hacks approach.  I'll try to implement it.

/Simon

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

out of bounds stack access in idn tool, Hanno Böck, 2015/07/09
- Re: out of bounds stack access in idn tool, Simon Josefsson <=

Prev by Date: libidn_1.31-1_amd64.changes ACCEPTED into unstable
Next by Date: squeeze update of libidn?
Previous by thread: out of bounds stack access in idn tool
Next by thread: out of bounds stack read in function idna_to_ascii_4i
Index(es):
- Date
- Thread