bin/101575: [ PATCH ] Memory overflow "off-by one" in hexdump
Dan Lukes
dan at obluda.cz
Mon Aug 7 12:10:19 UTC 2006
>Number: 101575
>Category: bin
>Synopsis: [ PATCH ] Memory overflow "off-by one" in hexdump
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Aug 07 12:10:17 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Dan Lukes
>Release: FreeBSD 6.1-STABLE i386
>Organization:
Obludarium
>Environment:
System: FreeBSD 6.1-STABLE: Fri Aug 4 19:58:43 CEST 2006 i386
usr.bin/hexdump/parse.c,v 1.13 2004/07/22 13:14:42
but the same problem is in
System: FreeBSD 4.11-RELEASE-p19
usr.bin/hexdump/parse.c,v 1.4.2.1 2002/07/23 14:27:06
I'm almost sure the same problem is in all FreeBSD 5.X as well
>Description:
The program use one byte more memory than allocated.
The problem occur in strcat()
The code want to concat two strings - the fmtp[] has variable length,
the cs[] is two byte.
Program calloc strlen(fmtp) + 2 bytes for it - forgetting the final '\0'
of concatenated string
I think this overflow is not exploitable by an attacker even if we run
hexdump on specially prepared source file. But my assumptions may be wrong.
>How-To-Repeat:
Use an memory usage analyzator (memcheck or so), then run hd with no arguments
>Fix:
Please MFC it to RELENG-4 too
--- usr.bin/hexdump/parse.c.ORIG Sun Aug 8 21:12:10 2004
+++ usr.bin/hexdump/parse.c Mon Aug 7 13:41:57 2006
@@ -394,7 +394,7 @@
*/
savech = *p2;
p1[0] = '\0';
- if ((pr->fmt = calloc(1, strlen(fmtp) + 2)) == NULL)
+ if ((pr->fmt = calloc(1, strlen(fmtp) + 3)) == NULL)
err(1, NULL);
(void)strcpy(pr->fmt, fmtp);
(void)strcat(pr->fmt, cs);
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list