Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

This is a null pointer dereference vulnerability occurring at line 1480 in the file /OpenDMARC/libopendmarc/opendmarc_policy.c #256

Open
LuMingYinDetect opened this issue Feb 28, 2024 · 8 comments
Open

This is a null pointer dereference vulnerability occurring at line 1480 in the file /OpenDMARC/libopendmarc/opendmarc_policy.c #256

LuMingYinDetect opened this issue Feb 28, 2024 · 8 comments

Comments

@LuMingYinDetect
Copy link

Hello, I am a graduate student specializing in static analysis of programs. Recently, while using a static analysis tool to detect issues in open-source projects, I found several defects in the project. The description of the defects can be found at the following link:https://github.com/LuMingYinDetect/OpenDMARC_defects/blob/main/OpenDMARC_detect_1.md
@futatuki
Copy link

futatuki commented Mar 2, 2024

Although the library function itself is obviously broken in safety, its callers in OpenDMARC, https://github.com/trusteddomainproject/OpenDMARC/blob/master/opendmarc/opendmarc-check.c#L224 and https://github.com/trusteddomainproject/OpenDMARC/blob/master/opendmarc/opendmarc.c#L3289 always call the function with size_of_buf = 0. So OpenDMARC itself is not vulnerable, I think.

@futatuki
Copy link

futatuki commented Mar 2, 2024

On the other hand, as a library function, opendmarc_policy_fetch_ruf() cannot owe that line_buf and size_of_buf have right values. If line_buf is not pointing right place to store some value, even if it is not NULL, the caller would not run as the programmer expected, and might also cause some violation. Thus the responsibility for line_buf and size_of_buf values should be the caller.

@LuMingYinDetect
Copy link
Author

On the other hand, as a library function, opendmarc_policy_fetch_ruf() cannot owe that line_buf and size_of_buf have right values. If line_buf is not pointing right place to store some value, even if it is not NULL, the caller would not run as the programmer expected, and might also cause some violation. Thus the responsibility for line_buf and size_of_buf values should be the caller.

Thank you for your prompt reply. It seems that this defect should not be triggered. I will close the issue.

@futatuki
Copy link

futatuki commented Mar 2, 2024

Just wait a moment. Although it might not a vulnerability, I also think it is a bug which should be fixed (perhaps change '||' to '&&').

@LuMingYinDetect
Copy link
Author

Just wait a moment. Although it might not a vulnerability, I also think it is a bug which should be fixed (perhaps change '||' to '&&').

Indeed, changing || to && will enhance the logical coherence of the program. I reopened the issue.

@KIC-8462852
Copy link

Of course this is a bug that needs to be fixed. Instead of:

if (list_buf != NULL || size_of_buf > 0)

the code at libopendmarc/opendmarc_policy.c#L1478 should be:

if (list_buf != NULL && size_of_buf > 0)

You can even see this in a similar function opendmarc_policy_fetch_rua() a few lines earlier in the same source libopendmarc/opendmarc_policy.c#L1420

In the OpenDMARC project, this bug is out of reach, as opendmarc_policy_fetch_ruf() is always called with both list_buf = NULL and size_of_buf = 0:

opendmarc/opendmarc.c#L3289

ruv = opendmarc_policy_fetch_ruf(cc->cctx_dmarc, NULL, 0, TRUE);

opendmarc/opendmarc-check.c#L224

ruf = opendmarc_policy_fetch_ruf(dmarc, NULL, 0, 1);

However, this is a library function and may be used outside of this project in a way that could trigger the bug.

@LuMingYinDetect
Copy link
Author

Of course this is a bug that needs to be fixed. Instead of:

if (list_buf != NULL || size_of_buf > 0)

the code at libopendmarc/opendmarc_policy.c#L1478 should be:

if (list_buf != NULL && size_of_buf > 0)

You can even see this in a similar function opendmarc_policy_fetch_rua() a few lines earlier in the same source libopendmarc/opendmarc_policy.c#L1420

In the OpenDMARC project, this bug is out of reach, as opendmarc_policy_fetch_ruf() is always called with both list_buf = NULL and size_of_buf = 0:

opendmarc/opendmarc.c#L3289

ruv = opendmarc_policy_fetch_ruf(cc->cctx_dmarc, NULL, 0, TRUE);

opendmarc/opendmarc-check.c#L224

ruf = opendmarc_policy_fetch_ruf(dmarc, NULL, 0, 1);

However, this is a library function and may be used outside of this project in a way that could trigger the bug.

Thank you for the detailed analysis! I'd like to reach out to the author of this library to address this issue. Do you have a link for submitting bugs related to this library?

@KIC-8462852
Copy link

KIC-8462852 commented Mar 3, 2024
edited
Loading

Thank you for the detailed analysis! I'd like to reach out to the author of this library to address this issue. Do you have a link for submitting bugs related to this library?

This is the place. libopendmarc is part of OpenDMARC project.

Adadov added a commit to Adadov/OpenDMARC that referenced this issue Jun 19, 2024
@Adadov
Fix: null pointer dereference vulnerability occurring issue trusteddo…
b0db823 
…mainproject#256
Adadov added a commit to Adadov/OpenDMARC that referenced this issue Jun 19, 2024
@Adadov
Fix: null pointer dereference vulnerability
17e5e0a 
  Official github issue trusteddomainproject#256
  CVE-2024-25768
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@futatuki @KIC-8462852 @LuMingYinDetect