Fix: possible g_memdup() silent memory truncation. (backport #1024) (#…

…1026)

* Fix possible g_memdup() silent memory truncation. (#1024)

Fix possible g_memdup() silent memory truncation.
Replace g_memdup() with memcpy() in some places, since g_memdup expects an guint (unsigned int)
and some functions were passing bigger memory sizes (like size_t). This avoid truncation.

Replace g_memdup() with g_memdup2() where possible.
For backward compatibility with system with GLib < v2.68, preprocessor directives were added to continue using g_memdup()
This is only for those cases in which the caller function pass valid size.

For testing run the following script with `openvas-nasl -X ../my_nasl/memcpy.nasl `
```
$ cat ../my_nasl/memcpy.nasl

a = "AAAAAAAAAAAAAAA";
display (tolower(a));
display(a);

b= "bbbbbbbbbbbbbbbb";
display (toupper(b));
display(b);

c = "hola mundo";
display (strstr(c, "la"));
```

(cherry picked from commit ca12c69)

# Conflicts:
#	misc/network.c
#	misc/plugutils.c
#	nasl/nasl_cert.c
#	nasl/nasl_crypto.c
#	nasl/nasl_crypto2.c
#	nasl/nasl_misc_funcs.c
#	nasl/nasl_packet_forgery.c
#	nasl/nasl_packet_forgery_v6.c
#	nasl/nasl_scanner_glue.c
#	nasl/nasl_socket.c
#	nasl/nasl_text_utils.c
#	nasl/nasl_var.c

* Fix conflicts

Co-authored-by: Juan José Nicola <jjnicola@gmail.com>
Co-authored-by: Juan Jose Nicola <juan.nicola@greenbone.net>

misc/network.c

@@ -905,7 +905,7 @@ socket_get_cert (int fd, void **cert, int *certlen)
   if (cert_list_len == 0)
     return;
   *certlen = cert_list[0].size;
-  *cert = g_memdup (cert_list[0].data, *certlen);
+  *cert = g_memdup2 (cert_list[0].data, *certlen);
 }
 
 /*

misc/plugutils.c

@@ -26,6 +26,7 @@
 #include "plugutils.h"
 
 #include "network.h" // for OPENVAS_ENCAPS_IP
+#include "support.h" // for g_memdup2 workaround
 
 #include <errno.h>               // for errno
 #include <gvm/base/hosts.h>      // for g_vhost_t
@@ -836,15 +837,17 @@ plug_get_key (struct script_infos *args, char *name, int *type, size_t *len,
         {
           if (type != NULL)
             *type = KB_TYPE_INT;
-          ret = g_memdup (&res->v_int, sizeof (res->v_int));
+          ret = g_memdup2 (&res->v_int, sizeof (res->v_int));
         }
       else
         {
           if (type != NULL)
             *type = KB_TYPE_STR;
           if (len)
             *len = res->len;
-          ret = g_memdup (res->v_str, res->len + 1);
+
+          ret = g_malloc0 (res->len + 1);
+          memcpy (ret, res->v_str, res->len + 1);
         }
       kb_item_free (res);
       return ret;
@@ -866,15 +869,17 @@ plug_get_key (struct script_infos *args, char *name, int *type, size_t *len,
             {
               if (type != NULL)
                 *type = KB_TYPE_INT;
-              ret = g_memdup (&res->v_int, sizeof (res->v_int));
+              ret = g_memdup2 (&res->v_int, sizeof (res->v_int));
             }
           else
             {
               if (type != NULL)
                 *type = KB_TYPE_STR;
               if (len)
                 *len = res->len;
-              ret = g_memdup (res->v_str, res->len + 1);
+
+              ret = g_malloc0 (res->len + 1);
+              memcpy (ret, res->v_str, res->len + 1);
             }
           kb_item_free (res_list);
           return ret;

misc/support.h

@@ -32,4 +32,13 @@
 #endif // __APPLE__ || __FreeBSD__
 #endif // !s6_addr32
 
+// Add backward compatibility for systems with older glib version
+// which still support g_memdup
+// TODO: Remove once our reference system supports g_memdup2
+
+#include <glib.h>
+#if GLIB_MAJOR_VERSION >= 2 && GLIB_MINOR_VERSION < 68
+#define g_memdup2 g_memdup
+#endif
+
 #endif /* not _OPENVAS_MISC_SUPPORT_H */

nasl/nasl_cert.c

@@ -985,7 +985,9 @@ nasl_cert_query (lex_ctxt *lexic)
 
       retc = alloc_typed_cell (CONST_DATA);
       retc->size = m.size;
-      retc->x.str_val = g_memdup (m.data, m.size);
+      retc->x.str_val = g_malloc0 (m.size);
+      memcpy (retc->x.str_val, m.data, m.size);
+
       gnutls_free (m.data);
       gnutls_free (e.data);
       gnutls_x509_crt_deinit (cert);
@@ -1009,7 +1011,9 @@ nasl_cert_query (lex_ctxt *lexic)
 
       retc = alloc_typed_cell (CONST_DATA);
       retc->size = e.size;
-      retc->x.str_val = g_memdup (e.data, e.size);
+      retc->x.str_val = g_malloc0 (e.size);
+      memcpy (retc->x.str_val, e.data, e.size);
+
       gnutls_free (m.data);
       gnutls_free (e.data);
       gnutls_x509_crt_deinit (cert);

nasl/nasl_crypto.c

@@ -25,6 +25,7 @@
 
 #include "nasl_crypto.h"
 
+#include "../misc/support.h"
 #include "exec.h"
 #include "hmacmd5.h"
 #include "nasl_debug.h"
@@ -71,7 +72,7 @@ nasl_gcrypt_hash (lex_ctxt *lexic, int algorithm, void *data, size_t datalen,
   gcry_md_hd_t hd;
   gcry_error_t err;
   tree_cell *retc;
-  int dlen = gcry_md_get_algo_dlen (algorithm);
+  unsigned int dlen = gcry_md_get_algo_dlen (algorithm);
 
   if (data == NULL)
     return NULL;
@@ -100,7 +101,8 @@ nasl_gcrypt_hash (lex_ctxt *lexic, int algorithm, void *data, size_t datalen,
   gcry_md_write (hd, data, datalen);
 
   retc = alloc_typed_cell (CONST_DATA);
-  retc->x.str_val = g_memdup (gcry_md_read (hd, algorithm), dlen + 1);
+  retc->x.str_val = g_malloc0 (dlen + 1);
+  memcpy (retc->x.str_val, gcry_md_read (hd, algorithm), dlen + 1);
   retc->size = dlen;
 
   gcry_md_close (hd);
@@ -340,7 +342,7 @@ hmac_sha384 (const void *key, int keylen, const void *buf, int buflen)
     }
 
   gcry_md_write (hd, buf, buflen);
-  ret = g_memdup (gcry_md_read (hd, 0), 48);
+  ret = g_memdup2 (gcry_md_read (hd, 0), 48);
   gcry_md_close (hd);
   return ret;
 }
@@ -830,7 +832,7 @@ nasl_lm_owf_gen (lex_ctxt *lexic)
 
   retc = alloc_typed_cell (CONST_DATA);
   retc->size = 16;
-  retc->x.str_val = g_memdup (p16, 16);
+  retc->x.str_val = g_memdup2 (p16, 16);
   return retc;
 }
 

nasl/nasl_crypto2.c

@@ -1639,7 +1639,8 @@ encrypt_stream_data (lex_ctxt *lexic, int cipher, const char *caller_func)
   if (cipher == GCRY_CIPHER_ARCFOUR)
     {
       resultlen = datalen;
-      tmp = g_memdup (data, datalen);
+      tmp = g_malloc0 (datalen);
+      memcpy (tmp, data, datalen);
       tmplen = datalen;
     }
   else
@@ -1732,7 +1733,8 @@ encrypt_data (lex_ctxt *lexic, int cipher, int mode)
   if (cipher == GCRY_CIPHER_ARCFOUR)
     {
       resultlen = datalen;
-      tmp = g_memdup (data, datalen);
+      tmp = g_malloc0 (datalen);
+      memcpy (tmp, data, datalen);
       tmplen = datalen;
     }
   else if (cipher == GCRY_CIPHER_3DES)

nasl/nasl_misc_funcs.c

@@ -194,7 +194,8 @@ nasl_telnet_init (lex_ctxt *lexic)
     n += n2;
   retc = alloc_typed_cell (CONST_DATA);
   retc->size = n;
-  retc->x.str_val = g_memdup (buffer, n + 1);
+  retc->x.str_val = g_malloc0 (n + 1);
+  memcpy (retc->x.str_val, buffer, n + 1);
 #undef iac
 #undef data
 #undef option

nasl/nasl_packet_forgery.c

@@ -1897,8 +1897,10 @@ get_icmp_element (lex_ctxt *lexic)
           retc->size =
             get_var_size_by_name (lexic, "icmp") - (ip->ip_hl * 4) - 8;
           if (retc->size > 0)
-            retc->x.str_val =
-              g_memdup (&(p[ip->ip_hl * 4 + 8]), retc->size + 1);
+            {
+              retc->x.str_val = g_malloc0 (retc->size + 1);
+              memcpy (retc->x.str_val, &(p[ip->ip_hl * 4 + 8]), retc->size + 1);
+            }
           else
             {
               retc->x.str_val = NULL;

nasl/nasl_packet_forgery_v6.c

@@ -2025,7 +2025,10 @@ get_icmp_v6_element (lex_ctxt *lexic)
           retc = alloc_typed_cell (CONST_DATA);
           retc->size = get_var_size_by_name (lexic, "icmp") - 40 - 8;
           if (retc->size > 0)
-            retc->x.str_val = g_memdup (&(p[40 + 8]), retc->size + 1);
+            {
+              retc->x.str_val = g_malloc0 (retc->size + 1);
+              memcpy (retc->x.str_val, &(p[40 + 8]), retc->size + 1);
+            }
           else
             {
               retc->x.str_val = NULL;

nasl/nasl_scanner_glue.c

@@ -29,6 +29,7 @@
 
 #include "../misc/network.h"       /* for getpts */
 #include "../misc/plugutils.h"     /* for plug_set_id */
+#include "../misc/support.h"       /* for the g_memdup2 workaround */
 #include "../misc/vendorversion.h" /* for vendor_version_get */
 #include "nasl_debug.h"
 #include "nasl_func.h"
@@ -905,7 +906,8 @@ security_something (lex_ctxt *lexic, proto_post_something_t proto_post_func,
       int len = get_var_size_by_name (lexic, "data");
       int i;
 
-      dup = g_memdup (data, len + 1);
+      dup = g_memdup2 (data, len + 1);
+
       for (i = 0; i < len; i++)
         if (dup[i] == 0)
           dup[i] = ' ';

nasl/nasl_socket.c

@@ -30,6 +30,7 @@
 /*--------------------------------------------------------------------------*/
 #include "../misc/network.h"
 #include "../misc/plugutils.h" /* for plug_get_host_ip */
+#include "../misc/support.h"   /* for the g_memdup2 workaround */
 #include "exec.h"
 #include "nasl.h"
 #include "nasl_debug.h"
@@ -165,10 +166,10 @@ add_udp_data (struct script_infos *script_infos, int soc, char *data, int len)
 {
   GHashTable *udp_data = script_infos->udp_data;
   struct udp_record *data_record = g_malloc0 (sizeof (struct udp_record));
-  int *key = g_memdup (&soc, sizeof (int));
+  int *key = g_memdup2 (&soc, sizeof (int));
 
   data_record->len = len;
-  data_record->data = g_memdup ((gconstpointer) data, (guint) len);
+  data_record->data = g_memdup2 ((gconstpointer) data, (guint) len);
 
   if (udp_data == NULL)
     {
@@ -840,7 +841,7 @@ nasl_recv (lex_ctxt *lexic)
   if (new_len > 0)
     {
       tree_cell *retc = alloc_typed_cell (CONST_DATA);
-      retc->x.str_val = g_memdup (data, new_len);
+      retc->x.str_val = g_memdup2 (data, new_len);
       retc->size = new_len;
       g_free (data);
       return retc;
@@ -909,8 +910,7 @@ nasl_recv_line (lex_ctxt *lexic)
 
   retc = alloc_typed_cell (CONST_DATA);
   retc->size = new_len;
-  retc->x.str_val = g_memdup (data, new_len + 1);
-
+  retc->x.str_val = g_memdup2 (data, new_len + 1);
   g_free (data);
 
   return retc;

nasl/nasl_text_utils.c

@@ -398,20 +398,22 @@ tree_cell *
 nasl_tolower (lex_ctxt *lexic)
 {
   tree_cell *retc;
-  char *str = get_str_var_by_num (lexic, 0);
+  char *str = get_str_var_by_num (lexic, 0), *ret;
   int str_len = get_var_size_by_num (lexic, 0);
   int i;
 
   if (str == NULL)
     return NULL;
 
-  str = g_memdup (str, str_len + 1);
+  ret = g_malloc0 (str_len + 1);
+  memcpy (ret, str, str_len + 1);
+
   for (i = 0; i < str_len; i++)
-    str[i] = tolower (str[i]);
+    ret[i] = tolower (ret[i]);
 
   retc = alloc_typed_cell (CONST_DATA);
   retc->size = str_len;
-  retc->x.str_val = str;
+  retc->x.str_val = ret;
   return retc;
 }
 
@@ -420,20 +422,22 @@ tree_cell *
 nasl_toupper (lex_ctxt *lexic)
 {
   tree_cell *retc;
-  char *str = get_str_var_by_num (lexic, 0);
+  char *str = get_str_var_by_num (lexic, 0), *ret;
   int str_len = get_var_size_by_num (lexic, 0);
   int i;
 
   if (str == NULL)
     return NULL;
 
-  str = g_memdup (str, str_len + 1);
+  ret = g_malloc0 (str_len + 1);
+  memcpy (ret, str, str_len + 1);
+
   for (i = 0; i < str_len; i++)
-    str[i] = toupper (str[i]);
+    ret[i] = toupper (ret[i]);
 
   retc = alloc_typed_cell (CONST_DATA);
   retc->size = str_len;
-  retc->x.str_val = str;
+  retc->x.str_val = ret;
   return retc;
 }
 
@@ -1248,7 +1252,9 @@ nasl_strstr (lex_ctxt *lexic)
 
   retc = alloc_typed_cell (CONST_DATA);
   retc->size = sz_a - (c - a);
-  retc->x.str_val = g_memdup (c, retc->size + 1);
+  retc->x.str_val = g_malloc0 (retc->size + 1);
+  memcpy (retc->x.str_val, c, retc->size + 1);
+
   return retc;
 }
 

nasl/nasl_var.c

@@ -1087,8 +1087,9 @@ get_variable_by_name (lex_ctxt *ctxt, const char *name)
        break;
      case VAR2_STRING:
      case VAR2_DATA:
-       v->string_form =
-         g_memdup ((char *) v->v.v_str.s_val ?: "", v->v.v_str.s_siz + 1);
+       v->string_form = g_malloc0 (v->v.v_str.s_siz + 1);
+       memcpy (v->string_form, (char *) v->v.v_str.s_val ?: "",
+               v->v.v_str.s_siz + 1);
        break;
      case VAR2_UNDEF:
        break;