misc/70022: libfetch uses bad computation leading to memory overflow
Herve Masson
herve-bsdbt at mindstep.com
Thu Aug 5 01:40:19 PDT 2004
>Number: 70022
>Category: misc
>Synopsis: libfetch uses bad computation leading to memory overflow
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Aug 05 08:40:18 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Herve Masson
>Release: zunobox server (www.netzuno.com) based on FreeBSD 4.9-RELEASE-p2
>Organization:
Mindstep Corp.
>Environment:
FreeBSD bytemill.montpellier.mindstep.com 4.9-RELEASE-p2 FreeBSD 4.9-RELEASE-p2 #0: Thu Mar 4 16:35:01 GMT 2004 root at bytemill.montpellier.mindstep.com:/tmp/bsdobjs/usr/src/sys/ZUNOBOX_DEV i386
>Description:
The base64 encoding code as provided in http.c [function _http_base64()] uses the following expression to allocate memory for encoded version of the given string:
if ((str = malloc(((l + 2) / 3) * 4)) == NULL)
This number does not include space for the terminating \0 byte, which is later inserted in the function. As a consequence, the first byte outside the allocated region is zeroed.
>How-To-Repeat:
I have never had a problem using command line programs on my BSD system; I noticed it when I ported this code on Windows, which has the memory overflow detection turned on in debug mode.
>Fix:
Use the following math:
if ((str = malloc(1+((l + 2) / 3) * 4)) == NULL)
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list