Re: out of bounds stack read in function idna_to_ascii

help-libidn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: out of bounds stack read in function idna_to_ascii_4i

From:	Simon Josefsson
Subject:	Re: out of bounds stack read in function idna_to_ascii_4i
Date:	Wed, 20 Jul 2016 18:29:49 +0200
User-agent:	Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)

Hanno Böck <address@hidden> writes:

> Hi,
>
> When passing an input of exactly 64 bytes to the idn tool it will
> generate an out of bounds stack read.
> This happens in the function idna_to_ascii_4i.
>
> In Line 213 if the input is less than 64 bytes it will zero-terminate
> the string. However if it's exactly 64 bytes the input will fill the
> out buffer and no zero termination will happen. Therefore the strlen
> call in line 271 will cause an out of bounds.
>
> Attached a sample input and apatch that will return an error on a 64
> byte input. The strlen (out) > 63 check doesn't really make sense,
> because inside a 64 byte buffer there can never be a correct
> zero-terminated string longer than 63 bytes. Therefore I've removed
> that check.
>
> Found with the help of american fuzzy lop.

Thank you Hanno.  This was fixed in git earlier this year, but real life
intervened and distracted me.  Here is a link to the commit that should
fix this:

http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=f20ce1128fb7f4d33297eee307dddaf0f92ac72d

I'm preparing a new release, so if you or anyone else has any concerns
over this patch, now is a good time to bring it up.

/Simon

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Re: out of bounds stack read in function idna_to_ascii_4i, Simon Josefsson <=

Prev by Date: Re: Not respecting configuration option
Next by Date: Bug#820816: stop using gnulib
Previous by thread: Re: Not respecting configuration option
Next by thread: Bug#820816: stop using gnulib
Index(es):
- Date
- Thread