Skip to content
This repository was archived by the owner on Apr 9, 2020. It is now read-only.

Fix problem exactly filling a buffer when encoding.#49

Open
sbertin-telular wants to merge 2 commits intocabo:masterfrom
sbertin-telular:fix_ensure_writable
Open

Fix problem exactly filling a buffer when encoding.#49
sbertin-telular wants to merge 2 commits intocabo:masterfrom
sbertin-telular:fix_ensure_writable

Conversation

@sbertin-telular
Copy link

@sbertin-telular sbertin-telular commented Apr 11, 2018

The size check suffered from an off by one error.
This also avoids problems with overflow.

@sbertin-telular
Fix problem exactly filling a buffer when encoding.
7ff99e3 
The size check suffered from an off by one error.
This also avoids problems with overflow.
cabo
cabo reviewed Apr 12, 2018
View reviewed changes
Copy link
Owner

@cabo cabo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! I do have one question, though...

src/cn-encoder.c
} cn_write_state;

#define ensure_writable(sz) if ((ws->offset<0) || (ws->offset + (sz) >= ws->size)) { \
#define ensure_writable(sz) if ((ws->offset<0) || (ws->size - ws->offset < (sz))) { \
Copy link
Owner

@cabo cabo Apr 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is definitely a good change...

src/cn-encoder.c Outdated
const cn_cbor *cb)
{
cn_write_state ws = { buf, buf_offset, buf_size };
if (ws.size < 0) { return -1; }
Copy link
Owner

@cabo cabo Apr 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When would this be the case?

Copy link
Author

@sbertin-telular sbertin-telular Apr 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In normal use I would expect it would not happen, but if buf_size has the high bit set and buf_offset is non-zero the check in ensure_writable could underflow. Probably an overabundance of caution, but issue #12 made me think about what could happen in an attack situation.

Copy link
Author

@sbertin-telular sbertin-telular Apr 13, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you like to see this removed? Or maybe change ws.size from ssize_t to size_t? I'd like to see the off by one error fixed. It seems there were attempts to do so since 2015 that never quite made it.

@cabo
Copy link
Owner

cabo commented Apr 13, 2018

I generally prefer to make all these calculations unsigned so I don't run into implementation-defined issues. Unfortunately, -1 means something special for ws.offset, which probably is the reason it was defined as ssize_t. Once you mix signed and unsigned, interesting things happen in C, so if we want to change ws.size to size_t, we might have to change ws.offset, too. In any case, a ws.size of more than half of the address space doesn't sound right, so this seems to be more of an "assert" kind of check.

@jimsch
Copy link
Contributor

jimsch commented Apr 16, 2018

Also look at #25 which does the same thing

@sbertin-telular
Copy link
Author

sbertin-telular commented Apr 17, 2018

Is anything else needed to get this merged?

@sbertin-telular sbertin-telular mentioned this pull request Apr 23, 2018
Open
@sbertin-telular sbertin-telular mentioned this pull request Mar 4, 2019
Open
@sbertin-telular sbertin-telular mentioned this pull request Jul 9, 2019
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@cabo cabo cabo left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sbertin-telular @cabo @jimsch