Use inline functions to convert buffer data to scalars.

* common/host2net.h (buf16_to_ulong, buf16_to_uint): New. (buf16_to_ushort, buf16_to_u16): New. (buf32_to_size_t, buf32_to_ulong, buf32_to_uint, buf32_to_u32): New. -- Commit 91b826a388 was not enough to avoid all sign extension on shift problems. Hanno Böck found a case with an invalid read due to this problem. To fix that once and for all almost all uses of "<< 24" and "<< 8" are changed by this patch to use an inline function from host2net.h. Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-03 22:56:33 +02:00 · 2015-02-11 10:27:57 +01:00 · 2015-02-11 10:27:57 +01:00 · 2183683bd6
commit 2183683bd6
parent f0f71a721c
31 changed files with 220 additions and 210 deletions
--- a/common/b64enc.c
+++ b/common/b64enc.c
@ -253,7 +253,7 @@ b64enc_write (struct b64state *state, const void *buffer, size_t nbytes)
      u32 crc = state->crc;

      for (p=buffer, n=nbytes; n; p++, n-- )
-        crc = (crc << 8) ^ crc_table[((crc >> 16)&0xff) ^ *p];
+        crc = ((u32)crc << 8) ^ crc_table[((crc >> 16)&0xff) ^ *p];
      state->crc = (crc & 0x00ffffff);
    }

--- a/common/dns-cert.c
+++ b/common/dns-cert.c
@ -47,6 +47,7 @@
 #endif

 #include "util.h"
+#include "host2net.h"
 #include "dns-cert.h"

 /* Not every installation has gotten around to supporting CERTs
@ -130,7 +131,7 @@ get_dns_cert (const char *name, estream_t *r_key,
      if (datalen < 5)
        continue;  /* Truncated CERT record - skip.  */

-      ctype = ((data[0] << 8) | data[1]);
+      ctype = buf16_to_uint (data);
      /* (key tag and algorithm fields are not required.) */
      data += 5;
      datalen -= 5;
@ -262,12 +263,13 @@ get_dns_cert (const char *name, estream_t *r_key,
          if ((emsg - pt) < 15)
            break;

-          type = *pt++ << 8;
-          type |= *pt++;
+          type = buf16_to_u16 (pt);
+          pt += 2;

-          class = *pt++ << 8;
+          class = buf16_to_u16 (pt);
+          pt += 2;
          class |= *pt++;
-          /* We asked for IN and got something else !? */
+
          if (class != C_IN)
            break;

@ -275,8 +277,8 @@ get_dns_cert (const char *name, estream_t *r_key,
          pt += 4;

          /* data length */
-          dlen = *pt++ << 8;
-          dlen |= *pt++;
+          dlen = buf16_to_u16 (pt);
+          pt += 2;

          /* We asked for CERT and got something else - might be a
             CNAME, so loop around again. */
@ -287,8 +289,8 @@ get_dns_cert (const char *name, estream_t *r_key,
            }

          /* The CERT type */
-          ctype = *pt++ << 8;
-          ctype |= *pt++;
+          ctype = buf16_to_u16 (pt);
+          pt += 2;

          /* Skip the CERT key tag and algo which we don't need. */
          pt += 3;
--- a/common/host2net.h
+++ b/common/host2net.h
@ -1,5 +1,5 @@
 /* host2net.h - Endian conversion macros
- * Copyright (C) 1998, 2014  Werner Koch
+ * Copyright (C) 1998, 2014, 2015  Werner Koch
 *
 * This file is part of GnuPG.
 *
@ -32,9 +32,6 @@

 #include "types.h"

-#define buftoulong( p )  ((*(byte*)(p) << 24) | (*((byte*)(p)+1)<< 16) | \
-		       (*((byte*)(p)+2) << 8) | (*((byte*)(p)+3)))
-#define buftoushort( p )  ((*((byte*)(p)) << 8) | (*((byte*)(p)+1)))
 #define ulongtobuf( p, a ) do { 			  \
 			    ((byte*)p)[0] = a >> 24;	\
 			    ((byte*)p)[1] = a >> 16;	\
@ -45,8 +42,71 @@
 			    ((byte*)p)[0] = a >>  8;	\
 			    ((byte*)p)[1] = a	   ;	\
 			} while(0)
-#define buftou32( p)	buftoulong( (p) )
-#define u32tobuf( p, a) ulongtobuf( (p), (a) )
+
+
+static inline unsigned long
+buf16_to_ulong (const void *buffer)
+{
+  const unsigned char *p = buffer;
+
+  return (((unsigned long)p[0] << 8) | p[1]);
+}
+
+static inline unsigned int
+buf16_to_uint (const void *buffer)
+{
+  const unsigned char *p = buffer;
+
+  return (((unsigned int)p[0] << 8) | p[1]);
+}
+
+static inline unsigned short
+buf16_to_ushort (const void *buffer)
+{
+  const unsigned char *p = buffer;
+
+  return (((unsigned short)p[0] << 8) | p[1]);
+}
+
+static inline u16
+buf16_to_u16 (const void *buffer)
+{
+  const unsigned char *p = buffer;
+
+  return (((u16)p[0] << 8) | p[1]);
+}
+
+static inline size_t
+buf32_to_size_t (const void *buffer)
+{
+  const unsigned char *p = buffer;
+
+  return (((size_t)p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]);
+}
+
+static inline unsigned long
+buf32_to_ulong (const void *buffer)
+{
+  const unsigned char *p = buffer;
+
+  return (((unsigned long)p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]);
+}
+
+static inline unsigned int
+buf32_to_uint (const void *buffer)
+{
+  const unsigned char *p = buffer;
+
+  return (((unsigned int)p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]);
+}
+
+static inline u32
+buf32_to_u32 (const void *buffer)
+{
+  const unsigned char *p = buffer;
+
+  return (((u32)p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]);
+}


 #endif /*GNUPG_COMMON_HOST2NET_H*/
--- a/common/iobuf.c
+++ b/common/iobuf.c
@ -871,7 +871,7 @@ block_filter (void *opaque, int control, iobuf_t chain, byte * buffer,
 		    }
 		  else if (c == 255)
 		    {
-		      a->size = iobuf_get (chain) << 24;
+		      a->size = (size_t)iobuf_get (chain) << 24;
 		      a->size |= iobuf_get (chain) << 16;
 		      a->size |= iobuf_get (chain) << 8;
 		      if ((c = iobuf_get (chain)) == -1)
@ -1228,9 +1228,12 @@ iobuf_t
 iobuf_temp_with_content (const char *buffer, size_t length)
 {
  iobuf_t a;
+  int i;

  a = iobuf_alloc (3, length);
-  memcpy (a->d.buf, buffer, length);
+  /* memcpy (a->d.buf, buffer, length); */
+  for (i=0; i < length; i++)
+    a->d.buf[i] = buffer[i];
  a->d.len = length;

  return a;
--- a/common/pka.c
+++ b/common/pka.c
@ -51,6 +51,7 @@
 #endif

 #include "util.h"
+#include "host2net.h"
 #include "pka.h"

 #ifdef USE_DNS_PKA
@ -252,13 +253,14 @@ get_pka_info (const char *address, unsigned char *fpr)
      if (p >= pend - 10)
        return NULL; /* RR too short. */

-      type = *p++ << 8;
-      type |= *p++;
-      class = *p++ << 8;
-      class |= *p++;
+      type = buf16_to_uint (p);
+      p += 2;
+      class = buf16_to_uint (p);
+      p += 2;
      p += 4;
-      txtlen = *p++ << 8;
-      txtlen |= *p++;
+      txtlen = buf16_to_uint (p);
+      p += 2;
+
      if (type != T_TXT || class != C_IN)
        return NULL; /* Answer does not match the query. */

--- a/common/srv.c
+++ b/common/srv.c
@ -48,6 +48,7 @@
 #endif

 #include "util.h"
+#include "host2net.h"
 #include "srv.h"

 /* Not every installation has gotten around to supporting SRVs
@ -184,27 +185,28 @@ getsrv (const char *name,struct srventry **list)
        if((emsg-pt)<16)
          goto fail;

-        type=*pt++ << 8;
-        type|=*pt++;
+        type = buf16_to_u16 (pt);
+        pt += 2;
        /* We asked for SRV and got something else !? */
        if(type!=T_SRV)
          goto fail;

-        class=*pt++ << 8;
-        class|=*pt++;
+        class = buf16_to_u16 (pt);
+        pt += 2;
        /* We asked for IN and got something else !? */
        if(class!=C_IN)
          goto fail;

-        pt+=4; /* ttl */
-        dlen=*pt++ << 8;
-        dlen|=*pt++;
-        srv->priority=*pt++ << 8;
-        srv->priority|=*pt++;
-        srv->weight=*pt++ << 8;
-        srv->weight|=*pt++;
-        srv->port=*pt++ << 8;
-        srv->port|=*pt++;
+        pt += 4; /* ttl */
+        dlen = buf16_to_u16 (pt);
+        pt += 2;
+
+        srv->priority = buf16_to_ushort (pt);
+        pt += 2;
+        srv->weight = buf16_to_ushort (pt);
+        pt += 2;
+        srv->port = buf16_to_ushort (pt);
+        pt += 2;

        /* Get the name.  2782 doesn't allow name compression, but
           dn_expand still works to pull the name out of the
--- a/common/tlv.c
+++ b/common/tlv.c
@ -96,7 +96,7 @@ do_find_tlv (const unsigned char *buffer, size_t length,
        { /* Two byte length follows. */
          if (n < 2)
            return NULL; /* We expected 2 more bytes with the length. */
-          len = (s[0] << 8) | s[1];
+          len = ((size_t)s[0] << 8) | s[1];
          s += 2; n -= 2;
        }
      else