|
Parsing of KMIP strings (KMIPResponse::_parseString) contains an integer overflow that bypasses the protections provided by the ConstDataRangeCursor.
378 StatusWith<size_t> swTag = _parseTag(cdrc, tag, ItemType::textString, tagName);
|
379 if (!swTag.isOK()) {
|
380 return swTag.getStatus();
|
381 }
|
382 size_t len = swTag.getValue();
|
This length can be very large (e.g., UINT_MAX). If length is 0xffffffffU, the following code will overflow allowing the advance to succeed.
389 Status adv = cdrc->advance(len + (8 - (len % 8)) % 8);
|
390 if (!adv.isOK()) {
|
391 return adv;
|
392 }
|
For len of 0xffffffffU, “len + (8 - (len % 8)) % 8” will result in 0. In this particular case, the conversion to std::string causes an exception.
394 return std::string(data, len);
This would only occur on systems where “sizeof(uint32_t) == sizeof(size_t)” due to advance taking in a size_t while the code uses uint32_t in the parsing.
|