From owner-freebsd-ports Wed Oct 31 16: 0:12 2001 Delivered-To: freebsd-ports@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 152A337B407 for ; Wed, 31 Oct 2001 16:00:01 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id fA1001o02652; Wed, 31 Oct 2001 16:00:01 -0800 (PST) (envelope-from gnats) Received: from mango.robbins.dropbear.id.au (007.a.006.mel.iprimus.net.au [210.50.44.7]) by hub.freebsd.org (Postfix) with ESMTP id 9843037B405 for ; Wed, 31 Oct 2001 15:59:01 -0800 (PST) Received: (from tim@localhost) by mango.robbins.dropbear.id.au (8.11.6/8.11.6) id f9VNqU724114; Thu, 1 Nov 2001 10:52:31 +1100 (EST) (envelope-from tim) Message-Id: <200110312352.f9VNqU724114@mango.robbins.dropbear.id.au> Date: Thu, 1 Nov 2001 10:52:31 +1100 (EST) From: "Tim J. Robbins" Reply-To: "Tim J. Robbins" To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: ports/31676: converters/mpack heap buffer overflow in header parsing code Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 31676 >Category: ports >Synopsis: converters/mpack heap buffer overflow in header parsing code >Confidential: no >Severity: critical >Priority: low >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Oct 31 16:00:00 PST 2001 >Closed-Date: >Last-Modified: >Originator: Tim J. Robbins >Release: FreeBSD 4.4-STABLE i386 >Organization: >Environment: System: FreeBSD mango.robbins.dropbear.id.au 4.4-STABLE FreeBSD 4.4-STABLE #2: Sat Sep 29 03:42:56 EST 2001 tim@mango.robbins.dropbear.id.au:/usr/obj/usr/src/sys/GENERIC i386 munpack 1.5 from converters/mpack in FreeBSD ports collection. >Description: The `left' variable, which counts the number of bytes left in the buffer, is not updated properly when realloc() is called to increase the size of the buffer. >How-To-Repeat: Cause a message with a Content-Disposition or parameter to another header that exceeds 2*1024 characters in length to be unpacked with munpack. 2048 chars isn't enough to crash it although memory is overwritten at that point - 1mb of chars does the trick. >Fix: The patch I had posted to the ports@FreeBSD.org mailing list earlier was not correct. I believe this one is: diff -ruN mpack-1.5/decode.c mpack/decode.c --- mpack-1.5/decode.c Fri Feb 17 08:39:44 1995 +++ mpack/decode.c Thu Nov 1 10:40:23 2001 @@ -467,6 +467,7 @@ if (!--left) { alloced += VALUEGROWSIZE; value = xrealloc(value, alloced); + left = VALUEGROWSIZE; to = value + alloced - left - 2; } if (*from == '\\') { @@ -483,6 +484,7 @@ if (!--left) { alloced += VALUEGROWSIZE; value = xrealloc(value, alloced); + left = VALUEGROWSIZE; to = value + alloced - left - 2; } *to++ = *from++; @@ -572,6 +574,7 @@ if (!--left) { alloced += VALUEGROWSIZE; value = xrealloc(value, alloced); + left = VALUEGROWSIZE; to = value + alloced - left - 2; } if (*disposition == '\\') { @@ -589,6 +592,7 @@ if (!--left) { alloced += VALUEGROWSIZE; value = xrealloc(value, alloced); + left = VALUEGROWSIZE; to = value + alloced - left - 2; } *to++ = *disposition++; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message