Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 7 Mar 2019 21:34:58 +0000
From: Ryan Fairfax <rfairfax@...rosoft.com>
To: "musl@...ts.openwall.com" <musl@...ts.openwall.com>
Subject: RE: [PATCH] Update dn_skipname to work with utf-8 names

> This is unsafe on untrusted input, in that p += *p + 1 may have
> undefined behavior. It should be possible to make it safe by comparing
> against end-p before doing it, and returning -1 in that case.
> 
> At some level this is a "theoretical" bug, since the amount of the
> increment is bounded by 256, and any valid pointer is bounded away
> from the end of address space (the obvious point where the comparison
> p<end would go wrong) by at least 4096. However allowing UB like that
> means that it's no longer safe to build the file with hardened tooling
> that traps on UB, which is why it should be fixed.
> 
> Rich

Excellent point.  A corrected patch that checks that the length we're skipping is less than (end-p) is attached.

Download attachment "0001-Update-dn_skipname-to-work-with-utf-8.patch" of type "application/octet-stream" (1327 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.