Headline
CVE-2021-41500: Incomplete comparison with function strncmp · Issue #193 · cvxopt/cvxopt
Incomplete string comparison vulnerability exits in cvxopt.org cvxop <= 1.2.6 in APIs (cvxopt.cholmod.diag, cvxopt.cholmod.getfactor, cvxopt.cholmod.solve, cvxopt.cholmod.spsolve), which allows attackers to conduct Denial of Service attacks by construct fake Capsule objects.
Code snippet
static PyObject* solve(PyObject *self, PyObject *args, PyObject *kwrds)
{
............
if (!PyArg_ParseTupleAndKeywords(args, kwrds, "OO|iiii", kwlist,
&F, &B, &sys, &nrhs, &ldB, &oB)) return NULL;
#if PY_MAJOR_VERSION >= 3
if (!PyCapsule_CheckExact(F) || !(descr = PyCapsule_GetName(F)))
err_CO("F");
if (strncmp(descr, "CHOLMOD FACTOR", 14)) -------> The string terminator is not considered.
PY_ERR_TYPE("F is not a CHOLMOD factor");
cholmod_factor *L = (cholmod_factor *) PyCapsule_GetPointer(F, descr);
#else
if (!PyCObject_Check(F)) err_CO("F");
descr = PyCObject_GetDesc(F);
if (!descr || strncmp(descr, "CHOLMOD FACTOR", 14)) -------> The string terminator is not considered.
PY_ERR_TYPE("F is not a CHOLMOD factor");
cholmod_factor *L = (cholmod_factor *) PyCObject_AsVoidPtr(F);
#endif
............
Description
Function:
solve/spsolve/diag/getfactor
Call-path:
1. solve (Python) -> solve -> strncmp
2. spsolve (Python) -> spsolve -> strncmp
3. diag(Python) -> diag -> strncmp
4. getfactor(Python) -> getfactor-> strncmp
WarningType: Incomplete comparison.
Out analysis tool reported four warnings about the incomplete comparison of strings as shown above.
When the comparison length is 14, the terminator would be ignored. Hence even the strncmp returns 0, the reality may not match expectations specifically when variable descr depends on external inputs (Python).
For example, descr = "CHOLMOD FACTORMalicious", the comparison still return 0.
Also seen in solve, spsolve, diag and getfactor