misc/70022: libfetch uses bad computation leading to memory overflow

Herve Masson herve-bsdbt at mindstep.com
Thu Aug 5 01:40:19 PDT 2004

>Number:         70022
>Category:       misc
>Synopsis:       libfetch uses bad computation leading to memory overflow
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 05 08:40:18 GMT 2004
>Originator:     Herve Masson
>Release:        zunobox server (www.netzuno.com) based on FreeBSD 4.9-RELEASE-p2
Mindstep Corp.
FreeBSD bytemill.montpellier.mindstep.com 4.9-RELEASE-p2 FreeBSD 4.9-RELEASE-p2 #0: Thu Mar  4 16:35:01 GMT 2004     root at bytemill.montpellier.mindstep.com:/tmp/bsdobjs/usr/src/sys/ZUNOBOX_DEV  i386
The base64 encoding code as provided in http.c [function _http_base64()] uses the following expression to allocate memory for encoded version of the given string:

    if ((str = malloc(((l + 2) / 3) * 4)) == NULL)

This number does not include space for the terminating \0 byte, which is later inserted in the function. As a consequence, the first byte outside the allocated region is zeroed.
I have never had a problem using command line programs on my BSD system; I noticed it when I ported this code on Windows, which has the memory overflow detection turned on in debug mode.
Use the following math:

if ((str = malloc(1+((l + 2) / 3) * 4)) == NULL)

More information about the freebsd-bugs mailing list