Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug for cJSON_SetValuestring #803

Closed
Du4t opened this issue Dec 4, 2023 · 4 comments
Closed

bug for cJSON_SetValuestring #803

Du4t opened this issue Dec 4, 2023 · 4 comments

Comments

@Du4t
Copy link

Du4t commented Dec 4, 2023

Description

If the the object passed in cJSON_SetValuestring dont have valuestring, the object->valuestringwill be null. The null pointer dereference will cause SEGV in function cJSON_SetValuestring cJSON.c:408

Version

commit cb8693b058ba302f4829ec6d03f609ac6f848546 (HEAD -> master, tag: v1.7.16, origin/master, origin/HEAD)
Author: Alan Wang <[email protected]>
Date:   Wed Jul 5 11:22:19 2023 +0800

Related Code

CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring)
{
    char *copy = NULL;
    /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */
    if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference))
    {
        return NULL;
    }
    if (strlen(valuestring) <= strlen(object->valuestring)) // <== here
    {
        strcpy(object->valuestring, valuestring);
        return object->valuestring;
    }
    copy = (char*) cJSON_strdup((const unsigned char*)valuestring, &global_hooks);
    if (copy == NULL)
    {
        return NULL;
    }
    if (object->valuestring != NULL)
    {
        cJSON_free(object->valuestring);
    }
    object->valuestring = copy;

    return copy;
}

Impact

Potentially causing DoS

@carnil
Copy link

carnil commented Dec 14, 2023

Looks this issue got a CVE assigned, CVE-2023-50472

@PeterAlfredLee
Copy link
Contributor

My POC if I'm understanding this problem correctly:

    cJSON *corruptedItem = cJSON_CreateString("corrupted");

    corruptedItem->valuestring = NULL;
    return_value = cJSON_SetValuestring(corruptedItem, "test");

PeterAlfredLee added a commit to PeterAlfredLee/cJSON that referenced this issue Dec 15, 2023
Add NULL checkings in cJSON_InsertItemInArray and cJSON_SetValuestring
Fixing DaveGamble#802(CVE-2023-50471) and DaveGamble#803(CVE-2023-50472)
@mmuehlenhoff
Copy link

Why is this considered a security issue? This crosses no security boundary, it only lacks sanity handling for broken use of a function?

PeterAlfredLee added a commit to PeterAlfredLee/cJSON that referenced this issue Dec 16, 2023
@carnil
Copy link

carnil commented Dec 16, 2023

Why is this considered a security issue? This crosses no security boundary, it only lacks sanity handling for broken use of a function?

@mmuehlenhoff FWIW, I do not know, I'm not related with requesting the CVE, I was just relaying it here after doing some CVE triage in a downstream distribution. It might be sensible to ask the assigning CNA for rejection if the issue is not considered valid security issue.

PeterAlfredLee added a commit to PeterAlfredLee/cJSON that referenced this issue Dec 20, 2023
PeterAlfredLee added a commit to PeterAlfredLee/cJSON that referenced this issue Dec 20, 2023
Alanscut pushed a commit that referenced this issue Dec 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants