1671738 - RNP-01-004 WP1 RNP: Potential Integer underflow in partial_dst_write() (Low)

Status: RESOLVED FIXED

(MailNews Core :: Security: OpenPGP, defect)

Description

[Wayne Mery (:wsmwk)]

During the audit of the RNP source code, it was discovered that the function partial_dst_write() is potentially prone to an Integer overflow due to the declaration of wrlen as signed integer. When wrlen is becoming negative, the code calling dst_write(), wrlen will be cast to size_t, a big unsigned integer.

It has to be noted though that the vulnerable code path cannot be reached due to the condition check, namely if len is greater than param->partlen - param->len. Nevertheless, this issue is reported for the sake of completeness.

Affected File:
rnp/src/librepgp/stream-write.cpp

Affected Code:

 static rnp_result_t
 partial_dst_write(pgp_dest_t *dst, const void *buf, size_t len)
 {
 pgp_dest_partial_param_t *param = (pgp_dest_partial_param_t *) dst->param;
 int   wrlen;
 if (!param) {
     RNP_LOG("wrong param");
     return RNP_ERROR_BAD_PARAMETERS;
  }

 if (len > param->partlen - param->len) {
     /* we have full part - in block and in buf */
     wrlen = param->partlen - param->len;
     dst_write(param->writedst, &param->parthdr, 1);
     dst_write(param->writedst, param->part, param->len);
     dst_write(param->writedst, buf, wrlen);
[...]

Cure53 recommends to change the data-type of wrlen from “int” to “size_t” in order to avoid the potential risk of an Integer underflow.

Comment 1

[Nickolay Olshevsky]

Fixed via https://github.com/rnpgp/rnp/pull/1331

Comment 2

[Kai Engert (:KaiE:)]

fixed by bug 1675516
78.5.1