misc/70022: libfetch uses bad computation leading to memory overflow
herve-bsdbt at mindstep.com
Thu Aug 5 01:40:19 PDT 2004
>Synopsis: libfetch uses bad computation leading to memory overflow
>Arrival-Date: Thu Aug 05 08:40:18 GMT 2004
>Originator: Herve Masson
>Release: zunobox server (www.netzuno.com) based on FreeBSD 4.9-RELEASE-p2
FreeBSD bytemill.montpellier.mindstep.com 4.9-RELEASE-p2 FreeBSD 4.9-RELEASE-p2 #0: Thu Mar 4 16:35:01 GMT 2004 root at bytemill.montpellier.mindstep.com:/tmp/bsdobjs/usr/src/sys/ZUNOBOX_DEV i386
The base64 encoding code as provided in http.c [function _http_base64()] uses the following expression to allocate memory for encoded version of the given string:
if ((str = malloc(((l + 2) / 3) * 4)) == NULL)
This number does not include space for the terminating \0 byte, which is later inserted in the function. As a consequence, the first byte outside the allocated region is zeroed.
I have never had a problem using command line programs on my BSD system; I noticed it when I ported this code on Windows, which has the memory overflow detection turned on in debug mode.
Use the following math:
if ((str = malloc(1+((l + 2) / 3) * 4)) == NULL)
More information about the freebsd-bugs