Menu
▾
▴
Re: [Openvpn-devel] [PATCH 4/5 v2] buffer_list_aggregate_separator(): prevent 0-byte malloc
|
From: Antonio Q. <a...@un...> - 2017-12-29 10:02:37
|
Hi, On 29/12/17 17:54, Steffan Karger wrote: > As pointed out in finding OVPN-05 of the cryptograpy engineering audit > (funded by Private Internet Access), buffer_list_aggregate_separator() > could perform a 0-byte malloc when called with a list of 0-length buffers > and a "" separator. If other could would later try to access that buffer > memory, this would result in undefined behaviour. To prevent this, always > malloc() 1 byte. > > To simplify as we go, use alloc_buf() to allocate the buffer. This has > the additional benefit that the actual buffer data (not the contents) is > zero-terminated, because alloc_buf() calls calloc() and we have 1 extra > byte of data. > > Signed-off-by: Steffan Karger <ste...@fo...> Acked-by: Antonio Quartulli <a...@un...> -- Antonio Quartulli |
