Overflow at benchmark-tls.c (gnutls version - 3.8.3)

Potential problem

In /src/benchmark-tls.c the value total_diffs_size is used as an index when accessing an element of array total_diffs, which size is 32768. https://gitlab.com/gnutls/gnutls/-/blob/3.8.3/src/benchmark-tls.c#L568

At the same time we check, that the index value is not greater than 32768, but the problem is, that we do so after accessing an array element. https://gitlab.com/gnutls/gnutls/-/blob/3.8.3/src/benchmark-tls.c#L570-572

This means that a situation may arise in which the index value will be equal to 32768, and the program will not have time to react, and we will try to access outside the array, which can lead to unpredictable results.

Possible solution

Given that in your implementation of the code, the index value is incremented by 1 immediately after accessing the array, the problem can be solved by simply adding one character to the conditional test statement: if (total_diffs_size >= sizeof(total_diffs) / sizeof(total_diffs[0])) In that case maximum allowed value of total_diffs_size will be 32767.

Found by Linux Verification Center (portal.linuxtesting.ru) with SVACE.

Author D. Meliksetyan.

Edited Sep 12, 2024 by David Meliksetyan