Skip to content

util: fix deserialize buffer overflow #74

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

util: fix deserialize buffer overflow #74

wants to merge 1 commit into from

Conversation

@alonbl
Copy link
Member

@alonbl alonbl commented Nov 6, 2025

Missing check for source file increment.

Reported-by: Aarnav Bos [email protected]

selvanair
selvanair reviewed Nov 7, 2025
View reviewed changes
Copy link
Contributor

@selvanair selvanair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is a simpler version which I hope is correct :)
https://gist.github.com/selvanair/e541faacac36a40f1066b091e87084de

lib/pkcs11h-util.c Outdated
else {
if (t != NULL) {
if (n+1 > *max) {
s++;
Copy link
Contributor

@selvanair selvanair Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If t == NULL, this can advance past the end of s.

lib/pkcs11h-util.c Outdated
s++;

if (t != NULL && n < m) {
if (b2 = _ctoi(*s) == -1) {
Copy link
Contributor

@selvanair selvanair Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be ((b2 = _ctoi(*s)) == -1)

Copy link
Member Author

@alonbl alonbl Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah!!! thank you for finding it.

lib/pkcs11h-util.c Outdated
t++;
}
n++;
s++;
Copy link
Contributor

@selvanair selvanair Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can advance past the end if t is NULL or n >= m.

Copy link
Member Author

@alonbl alonbl Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you for reviewing... bummer I wanted to avoid logic when t == NULL...

@alonbl
util: fix deserialize buffer overflow
e1be3b8 
Missing check for source file increment.

Reported-by: Aarnav Bos <[email protected]>
@alonbl
Copy link
Member Author

alonbl commented Nov 7, 2025

@selvanair thank you so much for the review, I've modified the implementation to use macros, I hope now all is ok.

@alonbl alonbl mentioned this pull request Nov 7, 2025
Open
@selvanair
Copy link
Contributor

selvanair commented Nov 7, 2025
edited
Loading

Looks good to me if returning a wrong value of *max is okay in case of error. Let's see whether the fuzzer can still crash it!

@R9295
Copy link

R9295 commented Nov 10, 2025

@selvanair @alonbl the fix also looks good from the fuzzing side!

@alonbl
Copy link
Member Author

alonbl commented Nov 10, 2025

Thank you all!

@alonbl alonbl closed this Nov 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@selvanair selvanair selvanair left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alonbl @selvanair @R9295