Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#6227 closed defect (fixed)

Buffer overflow potential in netcdf driver

Reported by: Kurt Schwehr Owned by: warmerdam
Priority: normal Milestone: 1.11.4
Component: GDAL_Raster Version: unspecified
Severity: normal Keywords: netcdf
Cc:

Description (last modified by Kurt Schwehr)

https://www.unidata.ucar.edu/software/netcdf/docs/netcdf-c/nc_005finq_005fvar.html - note the "declare your array to be size NC_MAX_NAME+1" part

Usage

     int nc_inq_var      (int ncid, int varid, char *name, nc_type *xtypep,
                          int *ndimsp, int dimids[], int *nattsp);
     int nc_inq_varname  (int ncid, int varid, char *name);
     int nc_inq_vartype  (int ncid, int varid, nc_type *xtypep);
     int nc_inq_varndims (int ncid, int varid, int *ndimsp);
     int nc_inq_vardimid (int ncid, int varid, int dimids[]);
     int nc_inq_varnatts (int ncid, int varid, int *nattsp);

ncid NetCDF ID, from a previous call to nc_open or nc_create. 

varid Variable ID. 

name Returned variable name. The caller must allocate space for the 
  returned name. The maximum possible length, in characters, of a
  variable name is given by the predefined constant NC_MAX_NAME. 
  (This doesn't include the null terminator, so declare your array 
  to be size NC_MAX_NAME+1). The returned character array will be 
  null-terminated. 

e.g.

CPLErr netCDFRasterBand::CreateBandMetadata( int *paDimIds )

{
    netCDFDataset *poDS = reinterpret_cast<netCDFDataset *>( this->poDS );

/* -------------------------------------------------------------------- */
/*      Compute all dimensions from Band number and save in Metadata    */
/* -------------------------------------------------------------------- */
    char szVarName[NC_MAX_NAME];
    nc_inq_varname( cdfid, nZId, szVarName );

Change History (4)

comment:1 by Kurt Schwehr, 8 years ago

Description: modified (diff)

comment:2 by Even Rouault, 8 years ago

Component: defaultGDAL_Raster
Keywords: netcdf added
Milestone: 1.11.4
Resolution: fixed
Status: newclosed

Good catch

trunk r31815 "netCDF: fix potential buffer overflows with uses of nc_inq_varname(), nc_inq_attname() and nc_get_att_text() (identified by Kurt Schwehr, #6227), and also remove most occurences of strcpy, strcat, sprintf to replace them with snprintf; reduce stack requirements by removing uses of NCDF_MAX_STR_LEN"

branches/2.0 r31816, branches/1.11 r31817 "netCDF: fix potential buffer overflows with uses of nc_inq_varname(), nc_inq_attname() and nc_get_att_text() (identified by Kurt Schwehr, #6227)"

comment:3 by Even Rouault, 8 years ago

branches/1.11 r31850, branches/2.0 r31851 -m "netCDF: add another byte for szMetaName buffer in netCDFDataset::ReadAttributes() (#6227)"

comment:4 by Even Rouault, 8 years ago

trunk r31863, branches/2.0 r31864, branches/1.11 r31865 "netCDF: fix potential out-of-bounds write due to inverted logic (CID 1341452, #6227)"

Note: See TracTickets for help on using tickets.