Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAH8yC8mk=9pj20AUcDuCgJ7aabf+2chHhknS5=pjQF5LSq7Ptw@mail.gmail.com>
Date: Fri, 17 Aug 2018 06:33:12 -0400
From: Jeffrey Walton <noloader@...il.com>
To: oss-security@...ts.openwall.com
Cc: Florian Weimer <fweimer@...hat.com>, Doran Moppert <dmoppert@...hat.com>, 
	Christophe Fergeau <cfergeau@...hat.com>
Subject: Re: spice CVE-2018-10873: post-auth crash or potential
 heap corruption when demarshalling

On Fri, Aug 17, 2018 at 5:43 AM, Frediano Ziglio <fziglio@...hat.com> wrote:
>> On 08/17/2018 02:51 AM, Doran Moppert wrote:
>> >      +        if (SPICE_UNLIKELY((start + 2) > message_end)) {
>> >      +            goto error;
>> >      +        }
>>
>> These checks are still technically invalid because start + 2 is not a
>> valid pointer if it points past the allocated object.
>>
> Technical but not real. Unless it wraps is correct...

I believe Florian is correct. I think the most freedom you are allowed
is to access one beyond the "end" of the array; otherwise it is
undefined behavior. The compiler is free to remove the code or dragons
can fly out your nose.

Jeff

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.