From owner-freebsd-bugs Fri May 19 10:50: 8 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id BBFDD37BEAA for ; Fri, 19 May 2000 10:50:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id KAA97241; Fri, 19 May 2000 10:50:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7]) by hub.freebsd.org (Postfix) with ESMTP id 6842B37BAAD for ; Fri, 19 May 2000 10:40:46 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from archie@localhost) by bubba.whistle.com (8.9.3/8.9.2) id KAA41091; Fri, 19 May 2000 10:40:46 -0700 (PDT) Message-Id: <200005191740.KAA41091@bubba.whistle.com> Date: Fri, 19 May 2000 10:40:46 -0700 (PDT) From: Archie Cobbs Reply-To: archie@whistle.com To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/18678: Bug in libz Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 18678 >Category: bin >Synopsis: Bug in libz >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri May 19 10:50:01 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Archie Cobbs >Release: FreeBSD 3.4-RELEASE i386 >Organization: Whistle Communications, Inc. >Environment: All versions of FreeBSD >Description: [I rec'd this email on the ietf-ppp mailing list and copy it here] > From owner-ietf-ppp-outgoing@merit.edu Fri May 19 07:25:39 2000 > Content-Type: text/plain; charset=us-ascii > Content-Transfer-Encoding: 7bit > Message-ID: <14629.20138.903736.299605@gargle.gargle.HOWL> > Date: Fri, 19 May 2000 10:24:42 -0400 (EDT) > From: James Carlson > To: pppext > Subject: RFC 1979 Deflate / zlib warning > X-Mailer: VM 6.75 under Emacs 20.6.1 > Sender: owner-ietf-ppp@merit.edu > Precedence: bulk > Errors-To: owner-ietf-ppp-outgoing@merit.edu > Status: RO > > I've found a potentially serious bug in all popular versions of zlib > (0.99, 1.0.4, and the latest 1.1.3) by Jean-loup Gailly and Mark > Adler. This library is used to implement RFC 1979 Deflate > compression. > > The short version: > > If the deflate window size is set to 8, zlib will corrupt > memory and (depending on your implementation) cause a kernel > panic. The recommended fix is to reply with Configure-Nak if > the peer the Window parameter set to 0000 (size 8) in its > Configure-Request and ignore Configure-Nak with Window set to > 0000. > > The long version: > > The problem is that s->strstart gets set to a very large > positive integer when wsize (local copy of s->w_size) is > subtracted in deflate.c:fill_window(). This happens because > MAX_DIST(s) resolves as a negative number when the window size > is 8 -- MAX_DIST(s) is defined as s->w_size-MIN_LOOKAHEAD in > deflate.h. MIN_LOOKAHEAD is MAX_MATCH+MIN_MATCH+1, and that > is 258+3+1 or 262. Since a window size of 8 gives s->w_size > 256, MAX_DIST(s) is 256-262 or -6. > > This results in read_buf() writing over memory outside of > s->window, and a crash. > > I tried experimenting with the definition of MAX_MATCH, > MAX_LOOKAHEAD, and MAX_DIST(s) using cargo-cult techniques > without much success. I was able to get deflate() (the > compression call) to avoid crashing, but I rewarded with > either "invalid stored block lengths" or "oversubscribed > dynamic bit lengths tree" on calling inflate() on the > resulting compressed data, and I wasn't able to fix this. > > Patches: > > I've posted patches for ANU PPP and a short example program > that crashes zlib to my Sun web site: > > http://playground.sun.com/~carlsonj/ > > -- > James Carlson, Internet Engineering > SUN Microsystems / 1 Network Drive 71.234W Vox +1 781 442 2084 > MS UBUR02-212 / Burlington MA 01803-2757 42.497N Fax +1 781 442 1677 > "PPP Design and Debugging" --- http://people.ne.mediaone.net/carlson/ppp >How-To-Repeat: See http://playground.sun.com/~carlsonj/ >Fix: See http://playground.sun.com/~carlsonj/ >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message