Bug 1671738 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by
on 
During the audit of the RNP source code, it was discovered that the function partial_dst_write() is potentially prone to an Integer overflow due to the declaration of wrlen as signed integer. When wrlen is becoming negative, the code calling dst_write(), wrlen will be cast to size_t, a big unsigned integer.

It has to be noted though that the vulnerable code path cannot be reached due to the condition check, namely if len is greater than param->partlen - param->len. Nevertheless, this issue is reported for the sake of completeness.

Affected File:
rnp/src/librepgp/stream-write.cpp

Affected Code:
~~~~~
 static rnp_result_t
 partial_dst_write(pgp_dest_t *dst, const void *buf, size_t len)
 {
 pgp_dest_partial_param_t *param = (pgp_dest_partial_param_t *) dst->param;
 int   wrlen;
 if (!param) {
     RNP_LOG("wrong param");
     return RNP_ERROR_BAD_PARAMETERS;
  }

 if (len > param->partlen - param->len) {
     /* we have full part - in block and in buf */
     wrlen = param->partlen - param->len;
     dst_write(param->writedst, &param->parthdr, 1);
     dst_write(param->writedst, param->part, param->len);
     dst_write(param->writedst, buf, wrlen);
[...]
~~~~~
Cure53 recommends to change the data-type of wrlen from “int” to “size_t” in order to avoid the potential risk of an Integer underflow.
Revision 1 by
on 
During the audit of the RNP source code, it was discovered that the function partial_dst_write() is potentially prone to an Integer overflow due to the declaration of wrlen as signed integer. When wrlen is becoming negative, the code calling dst_write(), wrlen will be cast to size_t, a big unsigned integer.

It has to be noted though that the vulnerable code path cannot be reached due to the condition check, namely if len is greater than param->partlen - param->len. Nevertheless, this issue is reported for the sake of completeness.

***Affected File:***
rnp/src/librepgp/stream-write.cpp

***Affected Code:***
~~~~~
 static rnp_result_t
 partial_dst_write(pgp_dest_t *dst, const void *buf, size_t len)
 {
 pgp_dest_partial_param_t *param = (pgp_dest_partial_param_t *) dst->param;
 int   wrlen;
 if (!param) {
     RNP_LOG("wrong param");
     return RNP_ERROR_BAD_PARAMETERS;
  }

 if (len > param->partlen - param->len) {
     /* we have full part - in block and in buf */
     wrlen = param->partlen - param->len;
     dst_write(param->writedst, &param->parthdr, 1);
     dst_write(param->writedst, param->part, param->len);
     dst_write(param->writedst, buf, wrlen);
[...]
~~~~~
Cure53 recommends to change the data-type of wrlen from “int” to “size_t” in order to avoid the potential risk of an Integer underflow.

Back to Bug 1671738 Comment 0