Date: Thu, 5 Aug 2004 08:31:11 GMT From: Herve Masson <herve-bsdbt@mindstep.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/70022: libfetch uses bad computation leading to memory overflow Message-ID: <200408050831.i758VBjM095582@www.freebsd.org> Resent-Message-ID: <200408050840.i758eJMA042624@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 70022 >Category: misc >Synopsis: libfetch uses bad computation leading to memory overflow >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Aug 05 08:40:18 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Herve Masson >Release: zunobox server (www.netzuno.com) based on FreeBSD 4.9-RELEASE-p2 >Organization: Mindstep Corp. >Environment: FreeBSD bytemill.montpellier.mindstep.com 4.9-RELEASE-p2 FreeBSD 4.9-RELEASE-p2 #0: Thu Mar 4 16:35:01 GMT 2004 root@bytemill.montpellier.mindstep.com:/tmp/bsdobjs/usr/src/sys/ZUNOBOX_DEV i386 >Description: The base64 encoding code as provided in http.c [function _http_base64()] uses the following expression to allocate memory for encoded version of the given string: if ((str = malloc(((l + 2) / 3) * 4)) == NULL) This number does not include space for the terminating \0 byte, which is later inserted in the function. As a consequence, the first byte outside the allocated region is zeroed. >How-To-Repeat: I have never had a problem using command line programs on my BSD system; I noticed it when I ported this code on Windows, which has the memory overflow detection turned on in debug mode. >Fix: Use the following math: if ((str = malloc(1+((l + 2) / 3) * 4)) == NULL) >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200408050831.i758VBjM095582>