RNP-01-004 WP1 RNP: Potential Integer underflow in partial_dst_write() (Low)
Categories
(MailNews Core :: Security: OpenPGP, defect)
Tracking
(thunderbird_esr78 fixed)
Tracking | Status | |
---|---|---|
thunderbird_esr78 | --- | fixed |
People
(Reporter: wsmwk, Assigned: o.nickolay)
References
Details
(Keywords: sec-low, Whiteboard: [RNP][fixed-in-rnp])
During the audit of the RNP source code, it was discovered that the function partial_dst_write() is potentially prone to an Integer overflow due to the declaration of wrlen as signed integer. When wrlen is becoming negative, the code calling dst_write(), wrlen will be cast to size_t, a big unsigned integer.
It has to be noted though that the vulnerable code path cannot be reached due to the condition check, namely if len is greater than param->partlen - param->len. Nevertheless, this issue is reported for the sake of completeness.
Affected File:
rnp/src/librepgp/stream-write.cpp
Affected Code:
static rnp_result_t
partial_dst_write(pgp_dest_t *dst, const void *buf, size_t len)
{
pgp_dest_partial_param_t *param = (pgp_dest_partial_param_t *) dst->param;
int wrlen;
if (!param) {
RNP_LOG("wrong param");
return RNP_ERROR_BAD_PARAMETERS;
}
if (len > param->partlen - param->len) {
/* we have full part - in block and in buf */
wrlen = param->partlen - param->len;
dst_write(param->writedst, ¶m->parthdr, 1);
dst_write(param->writedst, param->part, param->len);
dst_write(param->writedst, buf, wrlen);
[...]
Cure53 recommends to change the data-type of wrlen from “int” to “size_t” in order to avoid the potential risk of an Integer underflow.
Reporter | ||
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
Fixed via https://github.com/rnpgp/rnp/pull/1331
Reporter | ||
Updated•4 years ago
|
Updated•4 years ago
|
Comment 2•3 years ago
|
||
fixed by bug 1675516
78.5.1
Updated•3 years ago
|
Reporter | ||
Updated•3 years ago
|
Description
•