Bug 1084647 - GCC 8: cyrus-sasl build fails
GCC 8: cyrus-sasl build fails
Status: RESOLVED INVALID
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Basesystem
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Peter Varkoly
E-mail List
:
Depends on:
Blocks: 1084649
  Show dependency treegraph
 
Reported: 2018-03-09 10:06 UTC by Martin Liška
Modified: 2018-04-06 14:02 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Liška 2018-03-09 10:06:19 UTC
Build the package with GCC 8, there's error:

[  107s] E: cyrus-sasl destbufferoverflow cram.c:295:2

Please build the project as follows to reproduce the issue:
osc build --alternative-project=openSUSE:Factory:Staging:Gcc7
Comment 2 Martin Liška 2018-04-06 12:27:27 UTC
I'm adding another people who may I help us.
Comment 3 Vítězslav Čížek 2018-04-06 12:59:22 UTC
cyrus-sasl uses this problematic variable-length structure:
202 /* Plain text password structure.
203  *  len is the length of the password, data is the text.
204  */
205 typedef struct sasl_secret {                                                                                     
206     unsigned long len;
207     unsigned char data[1];              /* variable sized */
208 } sasl_secret_t;

It allocates a memory for it like this:
291         sec = sparams->utils->malloc(sizeof(sasl_secret_t) + len);

And then gcc checks catch the "overflow" in eg:
295         strncpy((char *)sec->data, auxprop_values[0].values[0], len + 1);
Comment 4 Martin Liška 2018-04-06 13:15:26 UTC
(In reply to Vítězslav Čížek from comment #3)
> cyrus-sasl uses this problematic variable-length structure:
> 202 /* Plain text password structure.
> 203  *  len is the length of the password, data is the text.
> 204  */
> 205 typedef struct sasl_secret {                                            
> 
> 206     unsigned long len;
> 207     unsigned char data[1];              /* variable sized */
> 208 } sasl_secret_t;
> 
> It allocates a memory for it like this:
> 291         sec = sparams->utils->malloc(sizeof(sasl_secret_t) + len);
> 
> And then gcc checks catch the "overflow" in eg:
> 295         strncpy((char *)sec->data, auxprop_values[0].values[0], len + 1);

Thanks.
That said, let me take a look.
Comment 5 Martin Liška 2018-04-06 14:02:57 UTC
Good, it's fixed on trunk:

SVN revision: 259083
Author: matz
Fix -Wstringop-overflow regression

we shouldn't claim string overflows for character arrays at
end of structures; the code that tries to avoid these
accidentally passed the address of the accessed member to
array_at_struct_end_p(), but that one wants the component_ref
or array_ref itself.  Needs updating of one testcase that
incorrectly expected warning to occur in this situation.

git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@259083 138bc75d-0d04-0410-961f-82ee72b054a4