Closed pauldreik closed 4 years ago
@pauldreik Thanks for this patch. I'm away on vacation at the moment so I'm not going to have a chance to look into this more deeply until next week. Can you check into why the build is failing? Looks like one of the automated tests is failing. Thanks.
It was the memory allocation test which failed, because it compared the output to the last time. I reworked it a bit, now it passes.
Hi @verdammelt , have you had a chance to look at this yet? Thanks, Paul
Instead of changing the interface of xcalloc/xmalloc can we just have that the extra ADDNULL macros which +1
to the provided length - or in the two places called simply +1
there? I'd rather just do that.
I started with the +1 approach, but that is dangerous since it creates a possibility for integer overflow on the call site. See here: https://github.com/verdammelt/tnef/pull/40/commits/7109b9ec57c9f41362220a78ad488d92af61b987
Also, it will make the tests break since they check the debug output compared to the checked in output from an earlier version.
Then I moved the "+1 functionality" inside the xcalloc call: https://github.com/verdammelt/tnef/pull/40/commits/375d20fe753e27c6798f5d73bab647f2b27e3bdc The functionality for safely checking for integer overflow is inside that function.
I understand you do not like it, it is pretty ugly, but at least it is correct.
You can implement this however you prefer, I am happy as long as the end result is free of undefined behaviour, buffer overflows and integer overflows!
ah, I think I see your point. I'll merge.
Also @pauldreik thanks for the PRs...
My pleasure! Thanks for maintaining this useful tool.
@verdammelt can you comment on what the consequence could be of this bug? I would say opening a crafted file could lead to a file with a weird filename may be created on the system, but could that weird file name end up being in another directory (say ../../.ssh/authorized_keys if the heap could be prepared)?
Yes, it seems perhaps with a specially constructed file you could get files written to unexpected locations or with contents not as expected.
I don't know how easy it would be to do either - but it seems that this bug would make that possible.
This has been assigned CVE-2019-18849
A buffer read overflow may happen at file.c line 236 where strdup() is invoked. strdup() will just search until it finds a null terminator. If there was none, it will continue past the heap allocated memory. (Update 20191110: there is another one in mapi_attr.c, see https://github.com/verdammelt/tnef/pull/40/commits/3ae8b93746aa6403420b9907886993ceaa6705e3)
The effect of this read overflow is that either the application crashes from a segfault, or "random" data is being duplicated, the effect of which I do not know. Writing a file with garbage suffixed to the name, perhaps, but there seem to be some kind of sanitation in path.c preventing that.
Update: there is another similar situation in mapi_attr.c, also fixed in this pull request.
An example input that triggers the behaviour is base64 encoded here:
To prove the bug, run
and get (source lines are not accurate, I ran it on the patched version, with the fix disabled)