Re: [sane-devel] Fwd: [sane-Bugs][315132] fixes too small arrays in backend/niash.c

Mon, 14 Sep 2015 02:29:57 -0700 

Stef writes:

>      Hello,
>
>      I think that this one isn't a bug. I'm considering closing it as 
> 'invalid'. May someone double-check ?

When used through a well-behaved SANE frontend nothing bad will happen.
In that respect it is perhaps not a bug.

It sure it a coding style that is begging for trouble and just waiting
to blow up in your face.

All I have to do to turn it into a bug is write a frontend that calls

  SANE_Word sane_word;
  sane_control_option (h, 17, SANE_ACTION_GET_VALUE, &sane_word, NULL);

and you have a security vulnerability on your hands.
# I thought about passing NULL instead of &sane_word but decided not to
# to avoid an unchecked NULL dereference.

The SANE API Spec has nothing to say on calling sane_control_option with
values of n larger or equal than the option count (optLast for the niash
backend).

I don't like the proposed patch much though.  How about the attached?
At least it addresses the above issue(s).  The coding style issue is not
addressed though.

Hope this helps,
-- 
Olaf Meeuwissen, LPIC-2            FSF Associate Member since 2004-01-27
Support Free Software               Support the Free Software Foundation
https://my.fsf.org/donate                        https://my.fsf.org/join

>From db83bf44deaaf93376c22b17cd46214d24e31841 Mon Sep 17 00:00:00 2001
From: Olaf Meeuwissen <paddy-h...@member.fsf.org>
Date: Mon, 14 Sep 2015 18:24:39 +0900
Subject: [PATCH] niash.c: Add argument screening to sane_control_option

This prevents access to non-existing array elements as well as
potential NULL dereferences.

Fixes #315132.
---
 backend/niash.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/backend/niash.c b/backend/niash.c
index 7bc8a25..9024d77 100644
--- a/backend/niash.c
+++ b/backend/niash.c
@@ -995,6 +995,19 @@ sane_control_option (SANE_Handle h, SANE_Int n, SANE_Action Action,
 
   DBG (DBG_MSG, "sane_control_option: option %d, action %d\n", n, Action);
 
+  if ((n < optCount) || (n >= optLast))
+    {
+      return SANE_STATUS_UNSUPPORTED;
+    }
+
+  if (Action == SANE_ACTION_GET_VALUE || Action == SANE_ACTION_SET_VALUE)
+    {
+      if (pVal == NULL)
+        {
+          return SANE_STATUS_INVAL;
+        }
+    }
+
   s = (TScanner *) h;
   info = 0;
 
-- 
2.5.1


-- 
sane-devel mailing list: sane-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/sane-devel
Unsubscribe: Send mail with subject "unsubscribe your_password"
             to sane-devel-requ...@lists.alioth.debian.org

Reply via email to