From 18c9ad10450be7de1884f993c20adac9b06d3c8f Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Tue, 18 Oct 2022 20:05:11 +0200 Subject: [PATCH] all: use nm_memdup() instead of g_memdup() g_memdup()'s size argument is a guint. There was CVE-2021-27219 about an integer overflow, which results in a buffer overflow. In response to that, g_memdup2() was introduced in 2.68. We can't use g_memdup2(), because our currently required glib version is still 2.40. There was no bug at those two places where g_memdup() was used. It's just that g_memdup() is a code smell. Prevent any questions that a reader of the code might have regarding the correctness of g_memdup() (w.r.t. integer/buffer overflow), by not using it. Instead use our internal nm_memdup() variant, which exactly exists for this reason. See-also: https://gitlab.gnome.org/GNOME/glib/-/issues/2319 --- src/libnm-client-impl/nm-secret-agent-old.c | 2 +- src/libnm-glib-aux/nm-test-utils.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/libnm-client-impl/nm-secret-agent-old.c b/src/libnm-client-impl/nm-secret-agent-old.c index 93475ed3e..595f78f48 100644 --- a/src/libnm-client-impl/nm-secret-agent-old.c +++ b/src/libnm-client-impl/nm-secret-agent-old.c @@ -818,7 +818,7 @@ nm_secret_agent_old_register_async(NMSecretAgentOld *self, cancelled_id = g_cancellable_connect(cancellable, G_CALLBACK(_register_cancelled_cb), task, NULL); if (cancelled_id != 0) { - g_task_set_task_data(task, g_memdup(&cancelled_id, sizeof(cancelled_id)), g_free); + g_task_set_task_data(task, nm_memdup(&cancelled_id, sizeof(cancelled_id)), g_free); } } } diff --git a/src/libnm-glib-aux/nm-test-utils.h b/src/libnm-glib-aux/nm-test-utils.h index f3e558dfe..e88453472 100644 --- a/src/libnm-glib-aux/nm-test-utils.h +++ b/src/libnm-glib-aux/nm-test-utils.h @@ -1939,7 +1939,7 @@ nmtst_logging_disable(gboolean always) return NULL; } - p = g_memdup(_nm_logging_enabled_state, sizeof(_nm_logging_enabled_state)); + p = nm_memdup(_nm_logging_enabled_state, sizeof(_nm_logging_enabled_state)); memset(_nm_logging_enabled_state, 0, sizeof(_nm_logging_enabled_state)); return p; }