Bug 765566 – Integer overflow parsing port number in uri.c

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 765566 - (CVE-2016-4616) Integer overflow parsing port number in uri.c

(CVE-2016-4616)
Summary:	Integer overflow parsing port number in uri.c


Status:	RESOLVED OBSOLETE

Product:	libxml2
Classification:	Platform
Component:	general
Version:	git master
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Daniel Veillard
QA Contact:	libxml QA maintainers

URL:
Whiteboard:

Duplicates:	784014 (view as bug list)
Depends on:
Blocks:	784014

Reported:	2016-04-26 00:32 UTC by Michael Paddon
Modified:	2021-07-05 13:23 UTC

See Also:	752902
GNOME target:	---
GNOME version:	---

Attachments
Proposed patch. (911 bytes, patch) 2016-04-26 00:32 UTC, Michael Paddon	none	Details \| Review

Description Michael Paddon 2016-04-26 00:32:06 UTC

Created attachment 326717 [details] [review]
Proposed patch.

In uri.c:xmlParse3986Port(), uri->port can overflow when parsing a the port number. The type of uri->port is int, so the consequent behavior is undefined and may differ between compilers and architectures. This may have security implications as the same document may exhibit different behaviors on different platforms. The attached patch uses an unsigned to parse the port number and stores the value modulo INT_MAX in uri->port. The patched code preserves all behavior that was previously defined.

Comment 1 Daniel Veillard 2016-05-21 09:36:24 UTC

RFCs 3986 doesn't limit the port value ! URI can be used for namespace,
where libxml2 will parse the URI string used as a name for the namespace without
ever trying to access the port. So a ridiculously large port, is okay in
that context and we should try to preserve those. That said if it's over
INT_MAX I think it's reasonable to fail to save the uri->port.

I reused the patch as is, I was tempted ti use unsigned long but since for
ABI we need to keep the field as int, that's pointless anyway, applied as

https://git.gnome.org/browse/libxml2/commit/?id=846cf015a77b9bca7b90c17c1f608ece3e268dad

  thanks !

Daniel

Comment 2 Nick Wellnhofer 2017-06-21 11:28:11 UTC

I don't think this issue is fixed. At the very least, the port number should be mapped to some illegal value if an overflow occurs. Using modulo arithmetic results in almost the same behavior as before and only avoids error messages from sanitizers.

The behavior is still platform-dependent and, more importantly, it still allows to disguise port numbers. A value of (INT_MAX + 81) will be mapped to 80, for example.

Ideally, the port should be stored as a string and only converted to a number by the protocol handlers.

Comment 3 David Kilzer 2017-06-21 17:32:11 UTC

*** Bug 784014 has been marked as a duplicate of this bug. ***

Comment 4 Michael Paddon 2017-06-26 07:47:49 UTC

(In reply to Nick Wellnhofer from comment #2)
> I don't think this issue is fixed. At the very least, the port number should
> be mapped to some illegal value if an overflow occurs. Using modulo
> arithmetic results in almost the same behavior as before and only avoids
> error messages from sanitizers.
> 
> The behavior is still platform-dependent and, more importantly, it still
> allows to disguise port numbers. A value of (INT_MAX + 81) will be mapped to
> 80, for example.
> 
> Ideally, the port should be stored as a string and only converted to a
> number by the protocol handlers.

Hi Nick,

The specific issue addressed by my patch was undefined behaviour when a signed integer overflows. The behaviour is now defined, closing off a potential vulnerability.

Your broader point is quite valid; an out of range port number would best be treated as an error rather than mapped to a modulo value. This would require  larger code changes (with a risk of introducing new bugs). Your proposed approach, in particular, may require altering the ABI and would result in externally visible behavioural change. If there is consensus from the project owners that this is OK I would be happy to work on a patch.

Comment 5 Nick Wellnhofer 2017-06-26 11:54:05 UTC

> The specific issue addressed by my patch was undefined behaviour when a signed
> integer overflows. The behaviour is now defined, closing off a potential
> vulnerability.

That's correct. But typically, signed integer overflow only leads to wrapping the value around, much like the code does now explicitly.

> If there is consensus from the project owners that this is OK I would be happy
> to work on a patch.

I think this is a minor issue that doesn't require immediate attention. By reopening, I mainly wanted to make sure that this bug isn't forgotten. It's slightly dangerous to make fixes just to silence sanitizers without addressing the underlying issue.

Comment 6 GNOME Infrastructure Team 2021-07-05 13:23:17 UTC

GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org.
As part of that, we are mass-closing older open tickets in bugzilla.gnome.org
which have not seen updates for a longer time (resources are unfortunately
quite limited so not every ticket can get handled).

If you can still reproduce the situation described in this ticket in a recent
and supported software version, then please follow
  https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines
and create a new ticket at
  https://gitlab.gnome.org/GNOME/libxml2/-/issues/

Thank you for your understanding and your help.