Date: Mon, 7 Aug 2006 14:01:52 +0200 (CEST) From: Dan Lukes <dan@obluda.cz> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/101575: [ PATCH ] Memory overflow "off-by one" in hexdump Message-ID: <200608071201.k77C1qU0026514@kulesh.obluda.cz> Resent-Message-ID: <200608071210.k77CAH7b026313@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 101575 >Category: bin >Synopsis: [ PATCH ] Memory overflow "off-by one" in hexdump >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Aug 07 12:10:17 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Dan Lukes >Release: FreeBSD 6.1-STABLE i386 >Organization: Obludarium >Environment: System: FreeBSD 6.1-STABLE: Fri Aug 4 19:58:43 CEST 2006 i386 usr.bin/hexdump/parse.c,v 1.13 2004/07/22 13:14:42 but the same problem is in System: FreeBSD 4.11-RELEASE-p19 usr.bin/hexdump/parse.c,v 1.4.2.1 2002/07/23 14:27:06 I'm almost sure the same problem is in all FreeBSD 5.X as well >Description: The program use one byte more memory than allocated. The problem occur in strcat() The code want to concat two strings - the fmtp[] has variable length, the cs[] is two byte. Program calloc strlen(fmtp) + 2 bytes for it - forgetting the final '\0' of concatenated string I think this overflow is not exploitable by an attacker even if we run hexdump on specially prepared source file. But my assumptions may be wrong. >How-To-Repeat: Use an memory usage analyzator (memcheck or so), then run hd with no arguments >Fix: Please MFC it to RELENG-4 too --- usr.bin/hexdump/parse.c.ORIG Sun Aug 8 21:12:10 2004 +++ usr.bin/hexdump/parse.c Mon Aug 7 13:41:57 2006 @@ -394,7 +394,7 @@ */ savech = *p2; p1[0] = '\0'; - if ((pr->fmt = calloc(1, strlen(fmtp) + 2)) == NULL) + if ((pr->fmt = calloc(1, strlen(fmtp) + 3)) == NULL) err(1, NULL); (void)strcpy(pr->fmt, fmtp); (void)strcat(pr->fmt, cs); >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608071201.k77C1qU0026514>