cyclonedds icon indicating copy to clipboard operation
cyclonedds copied to clipboard
verified publisher icon eclipse-cyclonedds

The return value check for vsnprintf in function cpf()

Open tangc1986 opened this issue 2 years ago • 2 comments

https://github.com/eclipse-cyclonedds/cyclonedds/blob/4572324e39bd837b9770890e7f71d03c420a2512/src/core/ddsi/src/ddsi_debmon.c#L100C25-L100C25

In the function cpf(), now checked the vsnprintf return value cnt: (cnt < 0 || cnt > UINT16_MAX - st->pos).

Should it used (cnt < 0 || cnt >= sizeof (st->chunkbuf) - st->pos) here?

tangc1986 avatar Jan 09 '24 03:01 tangc1986

The UINT16_MAX - st->pos looks like it is there to prevent overflow in https://github.com/eclipse-cyclonedds/cyclonedds/blob/4572324e39bd837b9770890e7f71d03c420a2512/src/core/ddsi/src/ddsi_debmon.c#L103 so treating it as error in this case is not unreasonable.

If sizeof(st->chunkbuf) < cnt - st->posUINT16_MAX it is will cpemitchunk which then uses st->pos as the size of the buffer, resulting in an out-of-bounds read.

I'd say that means cnt < 0 || cnt >= sizeof (st->chunkbuf) - st->pos would be correct if we also require that sizeof(st->chunkbuf) <= UINT16_MAX. Good catch ☺️

Chances are you can trigger it if you use a very long topic name. A good thing it isn't enabled by default!

eboasson avatar Jan 12 '24 13:01 eboasson

Thanks @eboasson for your response!

tangc1986 avatar Jan 29 '24 08:01 tangc1986