From owner-freebsd-bugs@FreeBSD.ORG  Mon Aug  7 12:10:19 2006
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E4DF116A4E6
	for <freebsd-bugs@hub.freebsd.org>;
	Mon,  7 Aug 2006 12:10:18 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4E83843D45
	for <freebsd-bugs@hub.freebsd.org>;
	Mon,  7 Aug 2006 12:10:18 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k77CAHsN026314
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 7 Aug 2006 12:10:17 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k77CAH7b026313;
	Mon, 7 Aug 2006 12:10:17 GMT (envelope-from gnats)
Resent-Date: Mon, 7 Aug 2006 12:10:17 GMT
Resent-Message-Id: <200608071210.k77CAH7b026313@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Dan Lukes <dan@obluda.cz>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E4C3D16A4DE
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon,  7 Aug 2006 12:02:16 +0000 (UTC)
	(envelope-from dan@kulesh.obluda.cz)
Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [195.113.24.4])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D462943D60
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon,  7 Aug 2006 12:01:57 +0000 (GMT)
	(envelope-from dan@kulesh.obluda.cz)
Received: from kulesh.obluda.cz (openvpn.ms.mff.cuni.cz [195.113.20.87])
	by smtp1.kolej.mff.cuni.cz (8.13.1/8.13.1) with ESMTP id k77C3Qha000178
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 7 Aug 2006 14:03:28 +0200 (CEST)
	(envelope-from dan@kulesh.obluda.cz)
Received: from kulesh.obluda.cz (localhost. [127.0.0.1])
	by kulesh.obluda.cz (8.13.6/8.13.6) with ESMTP id k77C1rQO026515
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 7 Aug 2006 14:01:53 +0200 (CEST)
	(envelope-from dan@kulesh.obluda.cz)
Received: (from root@localhost)
	by kulesh.obluda.cz (8.13.6/8.13.6/Submit) id k77C1qU0026514;
	Mon, 7 Aug 2006 14:01:52 +0200 (CEST) (envelope-from dan)
Message-Id: <200608071201.k77C1qU0026514@kulesh.obluda.cz>
Date: Mon, 7 Aug 2006 14:01:52 +0200 (CEST)
From: Dan Lukes <dan@obluda.cz>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: bin/101575: [ PATCH ] Memory overflow "off-by one" in hexdump
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Dan Lukes <dan@obluda.cz>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Aug 2006 12:10:19 -0000


>Number:         101575
>Category:       bin
>Synopsis:       [ PATCH ] Memory overflow "off-by one" in hexdump
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 07 12:10:17 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Dan Lukes
>Release:        FreeBSD 6.1-STABLE i386
>Organization:
Obludarium
>Environment:
System: FreeBSD 6.1-STABLE: Fri Aug 4 19:58:43 CEST 2006 i386
usr.bin/hexdump/parse.c,v 1.13 2004/07/22 13:14:42

but the same problem is in 

System: FreeBSD 4.11-RELEASE-p19
usr.bin/hexdump/parse.c,v 1.4.2.1 2002/07/23 14:27:06

	I'm almost sure the same problem is in all FreeBSD 5.X as well

>Description:
	The program use one byte more memory than allocated.

	The problem occur in strcat()

	The code want to concat two strings - the fmtp[] has variable length, 
the cs[] is two byte.

	Program calloc strlen(fmtp) + 2 bytes for it - forgetting the final '\0' 
of concatenated string

	I think this overflow is not exploitable by an attacker even if we run 
hexdump on specially prepared source file. But my assumptions may be wrong.

>How-To-Repeat:
	Use an memory usage analyzator (memcheck or so), then run hd with no arguments

>Fix:

	Please MFC it to RELENG-4 too

--- usr.bin/hexdump/parse.c.ORIG	Sun Aug  8 21:12:10 2004
+++ usr.bin/hexdump/parse.c	Mon Aug  7 13:41:57 2006
@@ -394,7 +394,7 @@
 			 */
 			savech = *p2;
 			p1[0] = '\0';
-			if ((pr->fmt = calloc(1, strlen(fmtp) + 2)) == NULL)
+			if ((pr->fmt = calloc(1, strlen(fmtp) + 3)) == NULL)
 				err(1, NULL);
 			(void)strcpy(pr->fmt, fmtp);
 			(void)strcat(pr->fmt, cs);
>Release-Note:
>Audit-Trail:
>Unformatted: