Date: Thu, 1 Nov 2001 10:52:31 +1100 (EST) From: "Tim J. Robbins" <tim@robbins.dropbear.id.au> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/31676: converters/mpack heap buffer overflow in header parsing code Message-ID: <200110312352.f9VNqU724114@mango.robbins.dropbear.id.au>
next in thread | raw e-mail | index | archive | help
>Number: 31676
>Category: ports
>Synopsis: converters/mpack heap buffer overflow in header parsing code
>Confidential: no
>Severity: critical
>Priority: low
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Oct 31 16:00:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: Tim J. Robbins
>Release: FreeBSD 4.4-STABLE i386
>Organization:
>Environment:
System: FreeBSD mango.robbins.dropbear.id.au 4.4-STABLE FreeBSD 4.4-STABLE #2: Sat Sep 29 03:42:56 EST 2001 tim@mango.robbins.dropbear.id.au:/usr/obj/usr/src/sys/GENERIC i386
munpack 1.5 from converters/mpack in FreeBSD ports collection.
>Description:
The `left' variable, which counts the number of bytes left in the buffer,
is not updated properly when realloc() is called to increase the size of
the buffer.
>How-To-Repeat:
Cause a message with a Content-Disposition or parameter to another header
that exceeds 2*1024 characters in length to be unpacked with munpack.
2048 chars isn't enough to crash it although memory is overwritten at
that point - 1mb of chars does the trick.
>Fix:
The patch I had posted to the ports@FreeBSD.org mailing list earlier
was not correct. I believe this one is:
diff -ruN mpack-1.5/decode.c mpack/decode.c
--- mpack-1.5/decode.c Fri Feb 17 08:39:44 1995
+++ mpack/decode.c Thu Nov 1 10:40:23 2001
@@ -467,6 +467,7 @@
if (!--left) {
alloced += VALUEGROWSIZE;
value = xrealloc(value, alloced);
+ left = VALUEGROWSIZE;
to = value + alloced - left - 2;
}
if (*from == '\\') {
@@ -483,6 +484,7 @@
if (!--left) {
alloced += VALUEGROWSIZE;
value = xrealloc(value, alloced);
+ left = VALUEGROWSIZE;
to = value + alloced - left - 2;
}
*to++ = *from++;
@@ -572,6 +574,7 @@
if (!--left) {
alloced += VALUEGROWSIZE;
value = xrealloc(value, alloced);
+ left = VALUEGROWSIZE;
to = value + alloced - left - 2;
}
if (*disposition == '\\') {
@@ -589,6 +592,7 @@
if (!--left) {
alloced += VALUEGROWSIZE;
value = xrealloc(value, alloced);
+ left = VALUEGROWSIZE;
to = value + alloced - left - 2;
}
*to++ = *disposition++;
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200110312352.f9VNqU724114>