From owner-svn-src-all@FreeBSD.ORG Mon Mar 23 20:50:29 2015 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D6DD64CE; Mon, 23 Mar 2015 20:50:29 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A7EE4B97; Mon, 23 Mar 2015 20:50:29 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t2NKoTOR093353; Mon, 23 Mar 2015 20:50:29 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t2NKoTQg093352; Mon, 23 Mar 2015 20:50:29 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201503232050.t2NKoTQg093352@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Mon, 23 Mar 2015 20:50:29 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r280398 - stable/10/lib/libc/net X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Mar 2015 20:50:30 -0000 Author: emaste Date: Mon Mar 23 20:50:28 2015 New Revision: 280398 URL: https://svnweb.freebsd.org/changeset/base/280398 Log: MFC r275060: Fix b64_pton output buffer overrun test for exact-sized buffer b64_pton would sometimes erroneously fail to decode a base64 string into a precisely sized buffer. The overflow check was a little too greedy. Modified: stable/10/lib/libc/net/base64.c Directory Properties: stable/10/ (props changed) Modified: stable/10/lib/libc/net/base64.c ============================================================================== --- stable/10/lib/libc/net/base64.c Mon Mar 23 20:02:16 2015 (r280397) +++ stable/10/lib/libc/net/base64.c Mon Mar 23 20:50:28 2015 (r280398) @@ -199,6 +199,7 @@ b64_pton(src, target, targsize) size_t targsize; { int tarindex, state, ch; + u_char nextbyte; char *pos; state = 0; @@ -226,22 +227,28 @@ b64_pton(src, target, targsize) break; case 1: if (target) { - if ((size_t)tarindex + 1 >= targsize) + if ((size_t)tarindex >= targsize) return (-1); target[tarindex] |= (pos - Base64) >> 4; - target[tarindex+1] = ((pos - Base64) & 0x0f) - << 4 ; + nextbyte = ((pos - Base64) & 0x0f) << 4; + if ((size_t)tarindex + 1 < targsize) + target[tarindex + 1] = nextbyte; + else if (nextbyte) + return (-1); } tarindex++; state = 2; break; case 2: if (target) { - if ((size_t)tarindex + 1 >= targsize) + if ((size_t)tarindex >= targsize) return (-1); target[tarindex] |= (pos - Base64) >> 2; - target[tarindex+1] = ((pos - Base64) & 0x03) - << 6; + nextbyte = ((pos - Base64) & 0x03) << 6; + if ((size_t)tarindex + 1 < targsize) + target[tarindex + 1] = nextbyte; + else if (nextbyte) + return (-1); } tarindex++; state = 3; @@ -299,7 +306,8 @@ b64_pton(src, target, targsize) * zeros. If we don't check them, they become a * subliminal channel. */ - if (target && target[tarindex] != 0) + if (target && (size_t)tarindex < targsize && + target[tarindex] != 0) return (-1); } } else {