From owner-svn-src-all@FreeBSD.ORG Tue Nov 25 18:39:38 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4A467D47; Tue, 25 Nov 2014 18:39:38 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1D525332; Tue, 25 Nov 2014 18:39:38 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sAPIdbqG012372; Tue, 25 Nov 2014 18:39:37 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id sAPIdbCc012371; Tue, 25 Nov 2014 18:39:37 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201411251839.sAPIdbCc012371@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Tue, 25 Nov 2014 18:39:37 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r275060 - head/lib/libc/net X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2014 18:39:38 -0000 Author: emaste Date: Tue Nov 25 18:39:37 2014 New Revision: 275060 URL: https://svnweb.freebsd.org/changeset/base/275060 Log: Fix b64_pton output buffer overrun test for exact-sized buffer b64_pton would sometimes erroneously fail to decode a base64 string into a precisely sized buffer. The overflow check was a little too greedy. Reported by: Ted Unangst on freebsd-hackers@ Reviewed by: loos, trasz Obtained from: OpenBSD MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D1218 Modified: head/lib/libc/net/base64.c Modified: head/lib/libc/net/base64.c ============================================================================== --- head/lib/libc/net/base64.c Tue Nov 25 18:35:47 2014 (r275059) +++ head/lib/libc/net/base64.c Tue Nov 25 18:39:37 2014 (r275060) @@ -199,6 +199,7 @@ b64_pton(src, target, targsize) size_t targsize; { int tarindex, state, ch; + u_char nextbyte; char *pos; state = 0; @@ -226,22 +227,28 @@ b64_pton(src, target, targsize) break; case 1: if (target) { - if ((size_t)tarindex + 1 >= targsize) + if ((size_t)tarindex >= targsize) return (-1); target[tarindex] |= (pos - Base64) >> 4; - target[tarindex+1] = ((pos - Base64) & 0x0f) - << 4 ; + nextbyte = ((pos - Base64) & 0x0f) << 4; + if ((size_t)tarindex + 1 < targsize) + target[tarindex + 1] = nextbyte; + else if (nextbyte) + return (-1); } tarindex++; state = 2; break; case 2: if (target) { - if ((size_t)tarindex + 1 >= targsize) + if ((size_t)tarindex >= targsize) return (-1); target[tarindex] |= (pos - Base64) >> 2; - target[tarindex+1] = ((pos - Base64) & 0x03) - << 6; + nextbyte = ((pos - Base64) & 0x03) << 6; + if ((size_t)tarindex + 1 < targsize) + target[tarindex + 1] = nextbyte; + else if (nextbyte) + return (-1); } tarindex++; state = 3; @@ -299,7 +306,8 @@ b64_pton(src, target, targsize) * zeros. If we don't check them, they become a * subliminal channel. */ - if (target && target[tarindex] != 0) + if (target && (size_t)tarindex < targsize && + target[tarindex] != 0) return (-1); } } else {