Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-04-ENS-FINDINGS-ISSUES-329
HistoryMay 10, 2023 - 12:00 a.m.

Upgraded Q -> 2 from #298 [1683710120837]

2023-05-1000:00:00
Code4rena
github.com
7
security assessment
algorithm vulnerability
mitigation steps
risk assessment
redundant parameter
unpredictable results
issue tracking
JSON

Judge has assessed an item in Issue #298 as 2 risk. The relevant finding follows:

[L-03] Redundant and dangerous len parameter in readKeyValue

#Links

Impact

If the len is not set to input.length minus the offset, there may be unpredictable results due how the algorithm works.

Proof of Concept

Let’s consider the following three inputs that will be parsed by the readKeyValue with an offset of zero:

  1. bytes(“aaa=bbb”)
  2. bytes("aaa=bbb ")
  3. bytes(“aaa=bbb ccc=ddd”)

The first input will be correctly and integrally parsed for any len that goes past the equal sign (len >= 4) because terminator is first set to type(uint256).max, then to input.length.

The second input will be correctly parsed only if the len is equal to the input.length (8), because otherwise the terminator is not found, and the value is retrieved by substring(input, offset:3 + 1, len:8 - 3 - 1) causing the value to be 0x62626220 instead of 0x626262.

The third input suffers the same problems as the first and second.

Tools Used

n/a

Recommended Mitigation Steps

Either remove the len parameter and calculate it internally as len = input.length - offset, or update the algorithm to be more robust.

The text was updated successfully, but these errors were encountered:

All reactions

JSON