kdepim buffers patch

Steve G linux_4ever at yahoo.com
Fri Dec 31 20:44:23 GMT 2004 

Hi,

I was using Korganizer to look at an .ics file and it crashed. I investigated 
the problem and found that a buffer was not big enough to hold the text being 
created via sprintf. The fact that sprintf was being used and not snprintf 
caused a great deal of concern since kdepim handles files from untrusted sources.

I decided to review all places that were using sprintf in kdepim and found 
several places where the wrong sized buffer was used. I also found one case 
where sprintf was being called directly on the arguments without a "%s" !

To briefly go over the wrong sized buffers (please refer to the attached patch):

libical/src/libical/icaltime.c This is not exploitable as it writes to the 
heap in a formatted way. It *will* crash korganizer. 26 bytes are needed as a
minimum according to ctime man page.

libical/src/libical/icalvalue.c There's 2 overflows here. In both cases the 
overflow involves printing a floating point number. The buffers overflowed 
seem to be on the heap as well. I think this is hard to exploit as you would 
be limited to ascii values for digits. I allow 40 bytes for %f. 1 for the sign,
30 for the whole number, 1 for the decimal point, and 6 for the fraction.

libical/src/libical/sspm.c This is a 1 byte overflow is on the stack. I traced 
it's callers and it seems related to multi-part write and mime-write. It also 
turns out the only caller of this in kdepim is a mime test function. Unless 
the function is called indirectly or by another kde application that's not in 
kdepim, this overflow never comes into play.

Attached is a patch that removes almost all sprintf's in favor of snprintf and 
expands the size of the above mentioned buffers to make sure they are big enough.
There very well may be other overflows because of MAX_PATH being 4096 and file
name buffers seem to be 256 bytes in kdepim. snprintf at least keeps the stack
from being hammered.

Thanks,
-Steve Grubb


		
__________________________________ 
Do you Yahoo!? 
Jazz up your holiday email with celebrity designs. Learn more. 
http://celebrity.mail.yahoo.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kdepim-3.3.1-buffer.patch
Type: text/x-patch
Size: 20719 bytes
Desc: kdepim-3.3.1-buffer.patch
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20041231/b28f5a3c/attachment.bin>

More information about the kde-core-devel mailing list