srptool:possible stack buffer overflow with large SRP groups
Hello!
I used SAST tool Svace to analyze gnutls 3.8.11 and encountered a possible buffer overflow in function _srp_crypt. In particular, the static buffer result in _srp_crypt() is only 1024 bytes, while the 8192-bit SRP group code produces base64-encoded verifier of 1366 characters.
I've checked it manually on Ubuntu 24.04.2 LTS by creating tpasswd.conf file and then tried to create verifier with 8192-bit SRP group by specifying --index=7:
~$ srptool --passwd-conf ~/tpasswd.conf --passwd ~/tpasswd --username testuser --index=7gdb showed this:
(gdb) break srptool.c:468
Breakpoint 1 at 0x2dce: file srptool.c, line 468.
(gdb) run --passwd-conf ~/tpasswd.conf --passwd ~/tpasswd --username testuser --index=7
Starting program: /usr/local/bin/srptool --passwd-conf ~/tpasswd.conf --passwd ~/tpasswd --username testuser --index=7
<...>
Enter password:
Breakpoint 1, _srp_crypt (username=0x7fffffffe21e "testuser",
passwd=0x55555557f130 "admin", salt_size=16, g=0x7fffffffb050,
n=0x7fffffffb040) at srptool.c:468
468 sprintf(result, "%s:%s", txt_verifier.data, txt_salt.data);
(gdb) print result
$1 = '\000' <repeats 113 times>
(gdb) print txt_verifier.size
$2 = 1366
(gdb)However, program doesn't crash in this case in my env. But I've noticed, that I cannot then verify such password:
~$ srptool --verify --passwd-conf ~/tpasswd.conf --passwd ~/tpasswd --username testuser
Enter password:
Encoding errorAt the current moment I didn't find precise cause of such behavior because I'm newbie to gnutls srptool source code but I think it may be connected with out-of-bounds write, explained above..
At least, for addressing buffer overflow we could, f.e:
- increase the static buffer size to 2048 bytes (sufficient for all currently supported groups),
- replace sprintf() with snprintf() to prevent overflow even if the buffer were accidentally too small.
But unfortunately it doesn't help with Encoding error -- error remains. I wanted to open MR at first but for now I don't know how to deal with Encoding error, so fix would be incomplete or even wrong. Probably, I may misunderstand something important here, so sorry if I'm mistaking.
Thank you upfront for your time and expertise!