From cfe1be3bee53a5b16e92e8d1c3aed7d611118e98 Mon Sep 17 00:00:00 2001 From: Mingjie Shen Date: Tue, 5 Mar 2024 18:13:28 -0500 Subject: [PATCH 1/4] ssl_mail_client: Fix unbounded write of sprintf() These calls to sprintf may overflow buf because opt.mail_from and opt.mail_to are controlled by users. Fix by replacing sprintf with snprintf. Signed-off-by: Mingjie Shen --- programs/ssl/ssl_mail_client.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 31da2ed83..f755158dc 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -723,7 +723,7 @@ usage: mbedtls_printf(" > Write MAIL FROM to server:"); fflush(stdout); - len = sprintf((char *) buf, "MAIL FROM:<%s>\r\n", opt.mail_from); + len = snprintf((char *) buf, sizeof(buf), "MAIL FROM:<%s>\r\n", opt.mail_from); ret = write_ssl_and_get_response(&ssl, buf, len); if (ret < 200 || ret > 299) { mbedtls_printf(" failed\n ! server responded with %d\n\n", ret); @@ -735,7 +735,7 @@ usage: mbedtls_printf(" > Write RCPT TO to server:"); fflush(stdout); - len = sprintf((char *) buf, "RCPT TO:<%s>\r\n", opt.mail_to); + len = snprintf((char *) buf, sizeof(buf), "RCPT TO:<%s>\r\n", opt.mail_to); ret = write_ssl_and_get_response(&ssl, buf, len); if (ret < 200 || ret > 299) { mbedtls_printf(" failed\n ! server responded with %d\n\n", ret); @@ -759,11 +759,12 @@ usage: mbedtls_printf(" > Write content to server:"); fflush(stdout); - len = sprintf((char *) buf, "From: %s\r\nSubject: Mbed TLS Test mail\r\n\r\n" - "This is a simple test mail from the " - "Mbed TLS mail client example.\r\n" - "\r\n" - "Enjoy!", opt.mail_from); + len = snprintf((char *) buf, sizeof(buf), + "From: %s\r\nSubject: Mbed TLS Test mail\r\n\r\n" + "This is a simple test mail from the " + "Mbed TLS mail client example.\r\n" + "\r\n" + "Enjoy!", opt.mail_from); ret = write_ssl_data(&ssl, buf, len); len = sprintf((char *) buf, "\r\n.\r\n"); From 62d462a4870deb9115761e1588240b1b101d2511 Mon Sep 17 00:00:00 2001 From: Mingjie Shen Date: Tue, 12 Mar 2024 16:00:28 -0400 Subject: [PATCH 2/4] ssl_mail_client: Replace snprintf with mbedtls_snprintf Signed-off-by: Mingjie Shen --- programs/ssl/ssl_mail_client.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index f755158dc..72e12f0f7 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -723,7 +723,7 @@ usage: mbedtls_printf(" > Write MAIL FROM to server:"); fflush(stdout); - len = snprintf((char *) buf, sizeof(buf), "MAIL FROM:<%s>\r\n", opt.mail_from); + len = mbedtls_snprintf((char *) buf, sizeof(buf), "MAIL FROM:<%s>\r\n", opt.mail_from); ret = write_ssl_and_get_response(&ssl, buf, len); if (ret < 200 || ret > 299) { mbedtls_printf(" failed\n ! server responded with %d\n\n", ret); @@ -735,7 +735,7 @@ usage: mbedtls_printf(" > Write RCPT TO to server:"); fflush(stdout); - len = snprintf((char *) buf, sizeof(buf), "RCPT TO:<%s>\r\n", opt.mail_to); + len = mbedtls_snprintf((char *) buf, sizeof(buf), "RCPT TO:<%s>\r\n", opt.mail_to); ret = write_ssl_and_get_response(&ssl, buf, len); if (ret < 200 || ret > 299) { mbedtls_printf(" failed\n ! server responded with %d\n\n", ret); @@ -759,7 +759,7 @@ usage: mbedtls_printf(" > Write content to server:"); fflush(stdout); - len = snprintf((char *) buf, sizeof(buf), + len = mbedtls_snprintf((char *) buf, sizeof(buf), "From: %s\r\nSubject: Mbed TLS Test mail\r\n\r\n" "This is a simple test mail from the " "Mbed TLS mail client example.\r\n" From f5b93c1e95f53e81be4bf1db64b80d7c678e01de Mon Sep 17 00:00:00 2001 From: Mingjie Shen Date: Tue, 12 Mar 2024 16:23:41 -0400 Subject: [PATCH 3/4] ssl_mail_client: Check return value of mbedtls_snprintf The return value of snprintf() is the number of characters (excluding the null terminator) which would have been written to the buffer if enough space had been available. Thus, a return value of size or more means the output was truncated. Signed-off-by: Mingjie Shen --- programs/ssl/ssl_mail_client.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 72e12f0f7..512a61037 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -724,6 +724,10 @@ usage: fflush(stdout); len = mbedtls_snprintf((char *) buf, sizeof(buf), "MAIL FROM:<%s>\r\n", opt.mail_from); + if (len < 0 || (size_t)len >= sizeof(buf)) { + mbedtls_printf(" failed\n ! mbedtls_snprintf encountered error or truncated output\n\n"); + goto exit; + } ret = write_ssl_and_get_response(&ssl, buf, len); if (ret < 200 || ret > 299) { mbedtls_printf(" failed\n ! server responded with %d\n\n", ret); @@ -736,6 +740,10 @@ usage: fflush(stdout); len = mbedtls_snprintf((char *) buf, sizeof(buf), "RCPT TO:<%s>\r\n", opt.mail_to); + if (len < 0 || (size_t)len >= sizeof(buf)) { + mbedtls_printf(" failed\n ! mbedtls_snprintf encountered error or truncated output\n\n"); + goto exit; + } ret = write_ssl_and_get_response(&ssl, buf, len); if (ret < 200 || ret > 299) { mbedtls_printf(" failed\n ! server responded with %d\n\n", ret); @@ -765,6 +773,10 @@ usage: "Mbed TLS mail client example.\r\n" "\r\n" "Enjoy!", opt.mail_from); + if (len < 0 || (size_t)len >= sizeof(buf)) { + mbedtls_printf(" failed\n ! mbedtls_snprintf encountered error or truncated output\n\n"); + goto exit; + } ret = write_ssl_data(&ssl, buf, len); len = sprintf((char *) buf, "\r\n.\r\n"); From 52c2af3ba45a823b149ca1090a0f9bbbb2f7addf Mon Sep 17 00:00:00 2001 From: Mingjie Shen Date: Mon, 18 Mar 2024 14:30:06 -0400 Subject: [PATCH 4/4] ssl_mail_client: Fix code style issue Signed-off-by: Mingjie Shen --- programs/ssl/ssl_mail_client.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 512a61037..f2e30e4b9 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -724,7 +724,7 @@ usage: fflush(stdout); len = mbedtls_snprintf((char *) buf, sizeof(buf), "MAIL FROM:<%s>\r\n", opt.mail_from); - if (len < 0 || (size_t)len >= sizeof(buf)) { + if (len < 0 || (size_t) len >= sizeof(buf)) { mbedtls_printf(" failed\n ! mbedtls_snprintf encountered error or truncated output\n\n"); goto exit; } @@ -740,7 +740,7 @@ usage: fflush(stdout); len = mbedtls_snprintf((char *) buf, sizeof(buf), "RCPT TO:<%s>\r\n", opt.mail_to); - if (len < 0 || (size_t)len >= sizeof(buf)) { + if (len < 0 || (size_t) len >= sizeof(buf)) { mbedtls_printf(" failed\n ! mbedtls_snprintf encountered error or truncated output\n\n"); goto exit; } @@ -768,12 +768,12 @@ usage: fflush(stdout); len = mbedtls_snprintf((char *) buf, sizeof(buf), - "From: %s\r\nSubject: Mbed TLS Test mail\r\n\r\n" - "This is a simple test mail from the " - "Mbed TLS mail client example.\r\n" - "\r\n" - "Enjoy!", opt.mail_from); - if (len < 0 || (size_t)len >= sizeof(buf)) { + "From: %s\r\nSubject: Mbed TLS Test mail\r\n\r\n" + "This is a simple test mail from the " + "Mbed TLS mail client example.\r\n" + "\r\n" + "Enjoy!", opt.mail_from); + if (len < 0 || (size_t) len >= sizeof(buf)) { mbedtls_printf(" failed\n ! mbedtls_snprintf encountered error or truncated output\n\n"); goto exit; }