review.tizen.org Git - platform/upstream/iotivity.git/commit

author	Dave Thaler <dthaler@microsoft.com>
	Fri, 10 Feb 2017 18:51:23 +0000 (10:51 -0800)
committer	Kevin Kane <kkane@microsoft.com>
	Tue, 14 Feb 2017 01:14:55 +0000 (01:14 +0000)
commit	9bc3a4ca3ab20eef194d110fef294b6e0b88a20e
tree	666a3b7497fb810d2e48d67f47b867c1a241540b	tree \| snapshot
parent	48afefdfb3eefcc1df93e135986d9d1fa68ef2f7	commit \| diff

IOT-1812: OICStrcpy is not safe with OICMalloc if the string can be empty

OICMalloc does not zero the memory allocated, and OICStrcpy does not
initialize the destination buffer if the source strlen is 0. Indeed
this seems to be by design, as the StringTests.StrcpyZeroSource
explicitly verifies that it does not initialize the destination buffer.

As a result, OICMalloc + OICStrcpy can result in uninitialized memory
(in a 1 byte buffer) that results in subsequently reading past the end
of the buffer, which can cause a crash.

Several security code paths are susceptible to this bug, which is
easy to reproduce with Application Verifier.

Change-Id: I6a3e2840c310d15a52656bf309ac9995de813683
Signed-off-by: Dave Thaler <dthaler@microsoft.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/17177
Tested-by: jenkins-iotivity <jenkins@iotivity.org>
Reviewed-by: Dan Mihai <Daniel.Mihai@microsoft.com>
Reviewed-by: Kevin Kane <kkane@microsoft.com>

resource/csdk/security/src/aclresource.c		diff \| blob \| history
resource/csdk/security/src/dpairingresource.c		diff \| blob \| history
resource/csdk/security/tool/json2cbor.c		diff \| blob \| history