Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug for cJSON_SetValuestring #803

Closed
Du4t opened this issue Dec 4, 2023 · 4 comments
Closed

bug for cJSON_SetValuestring #803

Du4t opened this issue Dec 4, 2023 · 4 comments

Comments

@Du4t
Copy link

Du4t commented Dec 4, 2023

Description

If the the object passed in cJSON_SetValuestring dont have valuestring, the object->valuestringwill be null. The null pointer dereference will cause SEGV in function cJSON_SetValuestring cJSON.c:408

Version

commit cb8693b058ba302f4829ec6d03f609ac6f848546 (HEAD -> master, tag: v1.7.16, origin/master, origin/HEAD)
Author: Alan Wang <[email protected]>
Date:   Wed Jul 5 11:22:19 2023  0800

Related Code

CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring)
{
    char *copy = NULL;
    /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */
    if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference))
    {
        return NULL;
    }
    if (strlen(valuestring) <= strlen(object->valuestring)) // <== here
    {
        strcpy(object->valuestring, valuestring);
        return object->valuestring;
    }
    copy = (char*) cJSON_strdup((const unsigned char*)valuestring, &global_hooks);
    if (copy == NULL)
    {
        return NULL;
    }
    if (object->valuestring != NULL)
    {
        cJSON_free(object->valuestring);
    }
    object->valuestring = copy;

    return copy;
}

Impact

Potentially causing DoS
@carnil
Copy link

carnil commented Dec 14, 2023

Looks this issue got a CVE assigned, CVE-2023-50472

@PeterAlfredLee
Copy link
Contributor

My POC if I'm understanding this problem correctly:

    cJSON *corruptedItem = cJSON_CreateString("corrupted");

    corruptedItem->valuestring = NULL;
    return_value = cJSON_SetValuestring(corruptedItem, "test");

PeterAlfredLee added a commit to PeterAlfredLee/cJSON that referenced this issue Dec 15, 2023
@PeterAlfredLee
add NULL checkings
9759352 
Add NULL checkings in cJSON_InsertItemInArray and cJSON_SetValuestring
Fixing DaveGamble#802(CVE-2023-50471) and DaveGamble#803(CVE-2023-50472)
@PeterAlfredLee PeterAlfredLee mentioned this issue Dec 15, 2023
Merged
@mmuehlenhoff
Copy link

Why is this considered a security issue? This crosses no security boundary, it only lacks sanity handling for broken use of a function?

PeterAlfredLee added a commit to PeterAlfredLee/cJSON that referenced this issue Dec 16, 2023
@PeterAlfredLee
add NULL checks in cJSON_SetValuestring
276a462 
Fixes DaveGamble#803(CVE-2023-50472)
@carnil
Copy link

carnil commented Dec 16, 2023

Why is this considered a security issue? This crosses no security boundary, it only lacks sanity handling for broken use of a function?

@mmuehlenhoff FWIW, I do not know, I'm not related with requesting the CVE, I was just relaying it here after doing some CVE triage in a downstream distribution. It might be sensible to ask the assigning CNA for rejection if the issue is not considered valid security issue.

PeterAlfredLee added a commit to PeterAlfredLee/cJSON that referenced this issue Dec 20, 2023
@PeterAlfredLee
fix null checks problems
3c7ebd5 
Fixes DaveGamble#802 and DaveGamble#803
PeterAlfredLee added a commit to PeterAlfredLee/cJSON that referenced this issue Dec 20, 2023
@PeterAlfredLee
fix error in null checkings
0140c48 
fixes DaveGamble#802 and DaveGamble#803
@PeterAlfredLee PeterAlfredLee mentioned this issue Dec 20, 2023
Merged
Alanscut pushed a commit that referenced this issue Dec 20, 2023
@PeterAlfredLee
fix error in null checkings (#810)
f66cbab 
fixes #802 and #803
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@carnil @mmuehlenhoff @Du4t @PeterAlfredLee