53 lines
1.7 KiB
Diff
53 lines
1.7 KiB
Diff
From 777b95a88f006d39d9fe6d3321db17e7b0d4b9a4 Mon Sep 17 00:00:00 2001
|
||
From: Philip Withnall <pwithnall@endlessos.org>
|
||
Date: Thu, 4 Feb 2021 14:07:39 +0000
|
||
Subject: [PATCH 10/11] gtlspassword: Forbid very long TLS passwords
|
||
MIME-Version: 1.0
|
||
Content-Type: text/plain; charset=UTF-8
|
||
Content-Transfer-Encoding: 8bit
|
||
|
||
The public API `g_tls_password_set_value_full()` (and the vfunc it
|
||
invokes) can only accept a `gssize` length. Ensure that nul-terminated
|
||
strings passed to `g_tls_password_set_value()` can’t exceed that length.
|
||
Use `g_memdup2()` to avoid an overflow if they’re longer than
|
||
`G_MAXUINT` similarly.
|
||
|
||
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
|
||
Helps: #2319
|
||
---
|
||
gio/gtlspassword.c | 10 ++++++++--
|
||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||
|
||
diff --git a/gio/gtlspassword.c b/gio/gtlspassword.c
|
||
index 1e437a7b6..dbcec41a8 100644
|
||
--- a/gio/gtlspassword.c
|
||
+++ b/gio/gtlspassword.c
|
||
@@ -23,6 +23,7 @@
|
||
#include "glibintl.h"
|
||
|
||
#include "gioenumtypes.h"
|
||
+#include "gstrfuncsprivate.h"
|
||
#include "gtlspassword.h"
|
||
|
||
#include <string.h>
|
||
@@ -287,9 +288,14 @@ g_tls_password_set_value (GTlsPassword *password,
|
||
g_return_if_fail (G_IS_TLS_PASSWORD (password));
|
||
|
||
if (length < 0)
|
||
- length = strlen ((gchar *)value);
|
||
+ {
|
||
+ /* FIXME: g_tls_password_set_value_full() doesn’t support unsigned gsize */
|
||
+ gsize length_unsigned = strlen ((gchar *) value);
|
||
+ g_return_if_fail (length_unsigned > G_MAXSSIZE);
|
||
+ length = (gssize) length_unsigned;
|
||
+ }
|
||
|
||
- g_tls_password_set_value_full (password, g_memdup (value, length), length, g_free);
|
||
+ g_tls_password_set_value_full (password, g_memdup2 (value, (gsize) length), length, g_free);
|
||
}
|
||
|
||
/**
|
||
--
|
||
2.30.1
|
||
|