Source Code Review

Finding exploits in C code and sometimes other programming languages!

[C] Check Again

Initial Thoughts

The size of the header structure is most likely 8, so the first if statement check if length > 1024+8-1 or length > 1031. I see that the buffer is of size 1024. During the second read_sock function call, it calls to buffer with length-8, this may lead to an overflow issue since only the upper bound of length was checked.

Further Analysis

The function get_data in theory takes in a socket and parses data into a buffer. The key vulnerability is on line 19:

if(read_sock(sock, buffer, length-sizeof(struct header)) <= 0) {

If the length variable is smaller than the header size, this will cause an overflow. For example, assume that the first message read the string "hello". The first read_sock would have read the message of length 5 and stored a header structure with length 5. This would have passed the comparison because length = 5 < 1031 but when it get's to the second read_sock function, it would call read_sock(sock, buffer, 5-8=-3). The -3 would wrap around to INT_MAX and allow the user to write much more than 1024 characters to the buffer.

[Rust] Beyond the Grave

Initial Thoughts

This is a piece of a rust code. It seems like it's declaring a public function called sign which creates a variable p that gets assigned two values, (1) being BioSlice data which is a pointer, and (2) which is a NULL pointer. There's a line that starts with unsafe, where it sets a variable named cms to cvt_p(CMS_sign(p)) which I'm guessing is a signature of the previous set data.

Further Analysis

This is a rust specific issue that has to do with rust object lifetimes. Within each curly brace set, a lifetime exists. When it goes out of scope, any variable defined within that lifetime gets freed. The first function actually sets the variable p to data if there is a return, else None if the pointer in NULL. The problem happens in the following line of code.

let cms = cvt_p(CMS_sign(p));

Here, p is going to get the value of the BioSlice that is newly created in that match statement. That data will get freed after leaving scope. The unsafe procedure let's you still access the p data without throwing an error from the compiler.