[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Stack overflow in checksum.c

From: Hyrum K Wright <hyrum_at_hyrumwright.org>
Date: Mon, 26 Jan 2015 23:07:51 -0500

There's a stack overflow bug in subversion/libsubr/checksum.c.

The functions svn_checksum__from_digest_fnv1a_32x4() and
svn_checksum__from_digest_fnv1a_32() both look something like this:

svn_checksum_t *
svn_checksum__from_digest_fnv1a_32x4(const unsigned char *digest,
        apr_pool_t *result_pool)
{
  return checksum_create(svn_checksum_fnv1a_32x4, sizeof(digest), digest,
     result_pool);
}

The problem is that checksum_create() expects the length of the string
pointed to by digest, but sizeof(digest) returns the number of bytes that a
variable of type 'const unsigned char *' requires. These methods are
currently only called with unint32_t cast to an unsigned char, but on
platforms which have 8-byte pointers, this leads to a buffer overflow in
checksum_create() when it tries to read more than the provided 4 bytes.

I *think* the correct fix is to add a digest_size argument
to svn_checksum__from_digest_fnv1a_32x4() and
svn_checksum__from_digest_fnv1a_32(), but I'm not sure if there's a better
way which somebody more familiar with this code would know about.

By all accounts, this code hasn't been released yet, so it's not a yet
security issue (hence the post to dev@ and not private@), but I thought
somebody would like to be aware of it. :)

-Hyrum
Received on 2015-01-27 05:09:35 CET

This is an archived mail posted to the Subversion Dev mailing list.