-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
In _decode function, memset the allocated memory to 0 before initializing it #74
Comments
@mysticlife1111 the outputs of both cjose_jws_get_plaintext() and _decode() functions are byte buffers of explicit length, not zero-terminated character strings. You may want to check your code for a buffer over-read error, which could happen if you are treating the plaintext as a zero-terminated string when the producer of the JWS did not include a terminating zero in the original payload. If you're certain this is not the case, though, it would be great if you could share a small runnable example of code (with imported JWS) that demonstrates the problem. |
Hi, cjose_jws_t *jws = NULL; I am using this function
/* Get the Plaintext information */ So i am expecting that plaintext_len will give me the right length of the plaintext, Here is the decoded JWT in plaintext È:F:^U^? are the extra characters, this causes error when i use the JSON parser as it complains JSON string is wrong. I have to get the actual plaintext len as follows I am releasing the memory if (jws) { Seems like cjose_jws_release(jws); will release the plaintext memory as well. |
Use |
I tried using strlen(access_token) + 1 but now i am getting error in the function cjose_jws_import |
If The referenced Also, yes |
This is the list of functions i am using
In the second step, plaintext_len gives length including garbage in the end and the step 3 fails. So had to get the right length in plaintext_len removing the garbage characters in the end. strlen(access_token) + 1 doesn't work! |
@mysticlife1111 thank you for the context. I'll admit I'm puzzled why I'm also curious how your |
Hello, yes First getting the jws after getting the plaintext Step 2: cjose_jws_get_plaintext(jws, &plaintext, &plaintext_len, err); Step 3: /* Remove the trailing garbage from the plaintext before JSON parsing */ Step 4: a_token = calloc(1, plaintext_len + 1); Step 5: snprintf(a_token, plaintext_len + 1, "%s", plaintext); Step 6: /* Now parse the plaintext JSON to get JSON top object */ Regards! |
In File cjose/src/base64.c
In function
static inline bool _decode(const char *input, size_t inlen, uint8_t **output, size_t *outlen, bool url, cjose_err *err)
Line 78:
uint8_t *buffer = cjose_get_alloc()(sizeof(uint8_t) * rlen);
Fix:
memset(buffer, 0, sizeof(uint8_t) * rlen);
Symptoms:
I am using function
jws = cjose_jws_import(access_token, strlen(access_token), err);
to get the jws object and then to get the plaintext version i am using
cjose_jws_get_plaintext(jws, &plaintext, &plaintext_len, err)
However, when i see the plaintext version, it has extra garbage characters in the end after the termination of the JSON
i am using the JSON parse to get the values, C function is
e = cl_json_parse(a_token, &json_top);
It is throwing error because of the corrupted plaintext field (extra garbage character), as i can't change the source code of cjose, workaround is parse from the end till i get the closing } brace to get the final length.
One weird thing is "first time when i decode the string then the JSON plaintext looks ok, its subsequent time when the garbage characters shows up" not sure if it is due to the alloc function.
Please memset the buffer to 0 before using it.
The text was updated successfully, but these errors were encountered: