Page MenuHome GnuPG - static
Create Task
Maniphest T8246

ksba: Silent truncation of 64-bit length fields in > S-expression encoding
Closed, ResolvedPublic
Actions

Description

From a report received today:

CWE-197: Silent truncation of 64-bit length fields in S-expression encoding

In five locations, unsigned long length fields are cast to `unsigned
int` when building S-expressions:

cms.c:951      sprintf (numbuf,"(%u:", (unsigned int)n->len);
cert.c:521     sprintf (numbuf,"(%u:", (unsigned int)n->len);
cert.c:1923    sprintf (numbuf,"(%u:", (unsigned int)ti.length);
cert.c:1936    sprintf (numbuf,"(%u:", (unsigned int)keyid_derlen);
cert.c:2011    sprintf (numbuf,"(%u:", (unsigned int)ti.length);

On 64-bit platforms where sizeof(unsigned long) > sizeof(unsigned
int), any field with length > UINT_MAX (4,294,967,295) produces a
silently truncated length prefix while the data is copied in full
using the original unsigned long value. The resulting S-expression is
structurally malformed: the declared length does not match the actual
content. Downstream consumers (gpgsm, GnuPG's certificate store) would
either mismatch or skip the object.

Revisions and Commits

rK libksba
rK2d120e345537 Fix other silent truncation of length fields.
rKc44cc98460ea Fix silent truncation of 64 bit length fields.

Related Objects

Event Timeline

werner created this task.Mon, May 4, 3:32 PM
werner created this object in space Restricted Space.
werner triaged this task as Normal priority.Tue, May 5, 11:47 AM

For the two first cases (n->len) this is not a problem because len is an int. For the other cases it is better to use a reasonable upper limit to avoid excessive memory allocation.

werner added a commit: rKc44cc98460ea: Fix silent truncation of 64 bit length fields..Tue, May 5, 11:51 AM
werner added a comment.Tue, May 5, 11:54 AM

To be released with 1.7.0

werner added a commit: rK2d120e345537: Fix other silent truncation of length fields..Tue, May 5, 12:11 PM
werner mentioned this in T8121: Release LibKSBA 1.7.0.Thu, May 7, 9:49 AM
werner closed this task as Resolved.Thu, May 7, 10:34 AM
werner claimed this task.
werner shifted this object from the Restricted Space space to the S1 Public space.Tue, May 12, 9:27 AM