nmirchev8_ctf - Incorrect Handling of returndatacopy ##4

[Chidubemkingsley]

Severity: Medium

Vulnerability Details:
In the _callWithExactGasSafeReturnData function, the returndatacopy operation is used to copy the return data from the external call. However, the return data size is hardcoded to maxReturnDataBytes (which is set to 64 bytes). This can lead to a problem if the actual return data is larger than maxReturnDataBytes, resulting in the truncation of the return data.

Proof of Code:

mstore(retData, maxReturnDataBytes)
returndatacopy(add(retData, 0x20), 0x0, maxReturnDataBytes)

Impact
Data Loss: The truncation of return data can result in incomplete data being returned, leading to incorrect behavior in the calling function.
Potential Security Issue: Depending on how the return data is used, this could also introduce security vulnerabilities if the contract relies on the integrity of the full return data.

Tool Used
Manual

Recommendation
Instead of hardcoding the return data size, dynamically allocate memory for retData based on the actual size of the return data using returndatasize():

mstore(retData, returndatasize())
returndatacopy(add(retData, 0x20), 0x0, returndatasize())

Here’s the corrected part of the code:

success := call(gasLimit, target, 0, add(payload, 0x20), mload(payload), 0x0, 0x0)
gasUsed := sub(gasBeforeCall, gas())

// Store the length of the copied bytes
let returnDataSize := returndatasize()
mstore(retData, returnDataSize)
// copy the bytes from retData[0:returnDataSize]
returndatacopy(add(retData, 0x20), 0x0, returnDataSize)

[NicolaMirchev]

The same as #29