Fixes buffer underflow #6143
Fixes buffer underflow #6143
Conversation
H5Iget_name() documents passing NULL when querying the object name length. However, passing a non-NULL buffer with size == 0 results in undefined behavior if a write is attempted. This fix defensively treats (name != NULL, size == 0) as a length-only query by setting name = NULL at the API level.
bmribler
requested review from
byrnHDF,
derobins,
fortnern,
jhendersonHDF and
lrknox
as code owners
bmribler
requested review from
brtnfld,
glennsong09,
mattjala,
qkoziol and
vchoi-hdfgroup
as code owners
release_docs/CHANGELOG.md
Outdated
|
|
||
| ## Library | ||
|
|
||
| ### Fixes security issue GHSA-5c6x-jmgf-f5vc |
There was a problem hiding this comment.
@bmribler , is GHSA-5c6x-jmgf-f5vc valid and correct?
I can't easily locate it on Internet.
There was a problem hiding this comment.
@hyoklee Yes, it is one of the private security issues. There are some similar ones already in the CHANGELOG.md.
There was a problem hiding this comment.
@bmribler , I don't see any in release_docs/CHANGELOG.md that has GHSA.
Do you mean release_docs/HISTORY* files?
They have corresponding CVE-YYYY-XXXXX .
There was a problem hiding this comment.
Does this one have a corresponding CVE number? If so, should that be entered instead?
There was a problem hiding this comment.
There is no CVE number for this issue yet. It's still not public, at least.
github-project-automation
bot
moved this from To be triaged
to In progress
in HDF5 - TRIAGE & TRACK
mattjala
left a comment
mattjala
left a comment
There was a problem hiding this comment.
I think this should throw an error instead of making an assumption about the user's intentions. This would match the H5Iget_name documentation better, which seems like it would consider a non-NULL zero size buffer an invalid input.
My understanding is the documentation says "...a preliminary call to H5Iget_name() with the last two parameters set to NULL and zero respectively can be made.", and does not indicate that they must be NULL and zero to be valid. |
6 participants
H5Iget_name() documents passing NULL when querying the object name length. However, passing a non-NULL buffer with size == 0 results in undefined behavior if a write is attempted.
This PR defensively treats (name != NULL, size == 0) as a length-only query by setting name = NULL at the API level.
This fixes a security issue.
Important
Fixes buffer underflow in
H5Iget_name()by treating(name != NULL, size == 0)as a length-only query.H5Iget_name()inH5I.c, treat(name != NULL, size == 0)as a length-only query by settingname = NULLto prevent undefined behavior.sizeis 0 andnameis non-NULL.This description was created by
for 728923c. You can customize this summary. It will automatically update as commits are pushed.