Spot the Bug! : Spot the Bug

Thursday, August 04, 2005 4:41 PM rsamona

Spot the Bug - August 4, 2005

I think the last bug stumped a few people. Can you find the security vulnerability in this one?
Courtesy of Neelay Shah, Consultant, Foundstone

#define STD_HASH_LEN 11
#define MAX_HASH_LEN 31

char * strPassHash = (char*)malloc(sizeof(char)*STD_HASH_LEN);

: //Create the hash

// Now suppose you need to recreate the hash which would be of length = MAX_HASH_LEN

strPassHash = (char*)realloc(strPassHash, MAX_HASH_LEN);

Solution

#define STD_HASH_LEN 11

#define MAX_HASH_LEN 31

char * strPassHash = (char*)malloc(sizeof(char)*STD_HASH_LEN);

: //Create the hash

// Now suppose you need to recreate the hash which would be of length = //MAX_HASH_LEN

char * strNewPassHash = (char*)realloc(strPassHash, MAX_HASH_LEN);

if(NULL == strNewPassHash)

{

// Not enough free memory…free the old hash and return an error.

free(StrPassHash);

printf(“Error…Not enough free memory”);

return;

}

strPassHash = strNewPassHash;

Description:

In the bad way, if realloc() fails for want of memory it returns a NULL and the pointer to the old memory is lost. Now in normal cases this memory leak may not be a security threat but in case the memory is shared and its contents are sensitive like a password hash for example it may lead to a security threat. The good way of programming gets around this by using an extra pointer.

Filed under: Bug Squashed

Comments

# re: Spot the Bug - August 4, 2005

Thursday, August 04, 2005 9:44 PM by geoff.appleby

strPassHash = (char*)realloc(strPassHash, MAX_HASH_LEN);

This line needs to be changed to:

strPassHash = (char*)realloc(strPassHash, sizeof(char)*MAX_HASH_LEN);

My C knowlegde is a little chaky these days, but you should always qualify the size correctly to ensure you get the right amount of memory allocated.

# re: Spot the Bug - August 4, 2005

Thursday, August 04, 2005 9:44 PM by Steven

realloc returns NULL on failure, but leaves the original intact in that case. In low-memory conditions, this will leak even more memory. Not sure how that might qualify as a security vulnerability, though. So maybe it's not what you're looking for.
To handle realloc properly:

char *temp = (char *)realloc(strPassHash, MAX_HASH_LEN);
if (!temp) { /* error */ }
else { strPassHash = temp; }

Other remarks:
- why "sizeof (char)"? -- it returns 1 by definition
- the code doesn't show how the hash is used or defined. If it is a string (which the "str" prefix would indicate), then it might be necessary to reserve space for a trailing NUL byte.
- there should be checking for NULL after the first call to malloc, too.

# re: Spot the Bug - August 4, 2005

Thursday, August 04, 2005 9:47 PM by Bart

Hi,

I do have a few remarks for the code snippet.

First, strPasHash should be checked for a NULL value before creating the hash:

if (NULL != strPassHash)
//Create the hash

Second, I'm missing the sizeof(char) part in the realloc function call (strictly spoken not needed for a char, it would be needed for Unicode characters etc):

strPassHash = (char*)realloc(strPassHash, sizeof(char)*MAX_HASH_LEN);

Third, there should be a NULL check after the realloc call too:

if (NULL != strPassHash)
//continue

Fourth, before reaching the following line:

strPassHash = (char*)realloc(strPassHash, sizeof(char)*MAX_HASH_LEN);

strPassHash should still point to the original location (acquired through malloc) and should not be NULL. If it's NULL, a malloc would be used and the original memory wouldn't be freed, therefore leaving stuff in memory that could be useful for an attacker (and would be exploitable thrugh a buffer overrun etc).

Fifth, the code assumes the hashes are NULL-terminated (and don't contain a NULL value inside?) although no explicit code is present to guarantee this:

strPassHash[STD_HASH_LEN - 1] = '\0';
...
strPassHash[MAX_HASH_LEN - 1] = '\0';

If the strPassHash is returned to the caller (assuming the code is in a function/method) NULL-termination is absolutely needed in order for things such as strlen to work and behave correctly and to avoid overruns.

Last but not least, it's best to AVOID realloc for crypto functions because when the data needs to be copied to another location (because in-place expansion is not possible), the old memory won't be zeroed out. Also, the pattern

a = realloc(a, ...);

destroys the original pointer so there is no way to zero out the memory yourself anymore (also because the old memory is freed, thus not directly accessible anymore).

Greetz,
Bart

# Options Trading » Spot the Bug - August 4, 2005

Sunday, April 20, 2008 1:58 PM by Options Trading » Spot the Bug - August 4, 2005

PingBack from http://stocks-options-trading.info/options-trading/?p=1035

# Spot the Bug Spot the Bug August 4 2005 | Insomnia Cure

Tuesday, June 09, 2009 8:57 PM by Spot the Bug Spot the Bug August 4 2005 | Insomnia Cure

PingBack from http://insomniacuresite.info/story.php?id=2139

New Comments to this post are disabled

Spot the Bug!

Search

Tags

News

Archives

Spot the Bug - August 4, 2005

Comments

# re: Spot the Bug - August 4, 2005

# re: Spot the Bug - August 4, 2005

# re: Spot the Bug - August 4, 2005

# Options Trading » Spot the Bug - August 4, 2005

# Spot the Bug Spot the Bug August 4 2005 | Insomnia Cure

Spot the Bug!

Search

Tags

News

Archives

Spot the Bug - August 4, 2005

Comments

# re: Spot the Bug - August 4, 2005

# re: Spot the Bug - August 4, 2005

# re: Spot the Bug - August 4, 2005

# Options Trading &raquo; Spot the Bug - August 4, 2005

# Spot the Bug Spot the Bug August 4 2005 | Insomnia Cure

# Options Trading » Spot the Bug - August 4, 2005