Control: notfound 773470 2.1.1 On Thu 2014-12-18 13:32:24 -0500, Joshua Rogers wrote: > Package: gnupg2 > Version: 2.1.1 > > On line 1242 of app-nks.c, 'xtrymalloc' is called with 'datalen', > which is calculated using "size_t datalen = oldpinlen + newpinlen"
The code you're talking about is here (in scd/app-nks.c):
1237 if ((flags & APP_CHANGE_FLAG_RESET))
1238 {
1239 char *data;
1240 size_t datalen = oldpinlen + newpinlen;
1241
1242 data = xtrymalloc (datalen);
1243 if (!data)
1244 {
1245 err = gpg_error_from_syserror ();
1246 goto leave;
1247 }
1248 memcpy (data, oldpin, oldpinlen);
1249 memcpy (data+oldpinlen, newpin, newpinlen);
1250 err = iso7816_reset_retry_counter_with_rc (app->slot, pwid,
1251 data, datalen);
1252 wipememory (data, datalen);
1253 xfree (data);
1254 }
> This does not account for the null-bytes, and may cause either a
> buffer overflow, or other problems down the line.
The only place where data is used is with memcpy() and
iso7816_reset_retry_counter_with_rc() and wipememory().
In these invocations, the data buffer is passed with an appropriate size
value -- it is not used as a null-terminated string.
I'm closing this report because it is not a bug.
--dkg
signature.asc
Description: PGP signature
