luc14n0/glib
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/glib.git synced 2025-03-24 08:30:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

gtlspassword: Forbid very long TLS passwords

Browse Source 
The public API `g_tls_password_set_value_full()` (and the vfunc it
invokes) can only accept a `gssize` length. Ensure that nul-terminated
strings passed to `g_tls_password_set_value()` can’t exceed that length.
Use `g_memdup2()` to avoid an overflow if they’re longer than
`G_MAXUINT` similarly.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #2319
This commit is contained in:
Philip Withnall 2021-02-04 14:07:39 +00:00
parent 65ec7f4d6e
commit 777b95a88f
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
gio/gtlspassword.c
View File

@ -23,6 +23,7 @@
#include "glibintl.h"
#include "gioenumtypes.h"
#include "gstrfuncsprivate.h"
#include "gtlspassword.h"
#include <string.h>
@ -287,9 +288,14 @@ g_tls_password_set_value (GTlsPassword *password,
g_return_if_fail (G_IS_TLS_PASSWORD (password));
if (length < 0)
length = strlen ((gchar *)value);
{
/* FIXME: g_tls_password_set_value_full() doesnt support unsigned gsize */
gsize length_unsigned = strlen ((gchar *) value);
g_return_if_fail (length_unsigned > G_MAXSSIZE);
length = (gssize) length_unsigned;
}
g_tls_password_set_value_full (password, g_memdup (value, length), length, g_free);
g_tls_password_set_value_full (password, g_memdup2 (value, (gsize) length), length, g_free);
}
/**