bin/101575: [ PATCH ] Memory overflow "off-by one" in hexdump

Dan Lukes dan at
Mon Aug 7 12:10:19 UTC 2006

>Number:         101575
>Category:       bin
>Synopsis:       [ PATCH ] Memory overflow "off-by one" in hexdump
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 07 12:10:17 GMT 2006
>Originator:     Dan Lukes
>Release:        FreeBSD 6.1-STABLE i386
System: FreeBSD 6.1-STABLE: Fri Aug 4 19:58:43 CEST 2006 i386
usr.bin/hexdump/parse.c,v 1.13 2004/07/22 13:14:42

but the same problem is in 

System: FreeBSD 4.11-RELEASE-p19
usr.bin/hexdump/parse.c,v 2002/07/23 14:27:06

	I'm almost sure the same problem is in all FreeBSD 5.X as well

	The program use one byte more memory than allocated.

	The problem occur in strcat()

	The code want to concat two strings - the fmtp[] has variable length, 
the cs[] is two byte.

	Program calloc strlen(fmtp) + 2 bytes for it - forgetting the final '\0' 
of concatenated string

	I think this overflow is not exploitable by an attacker even if we run 
hexdump on specially prepared source file. But my assumptions may be wrong.

	Use an memory usage analyzator (memcheck or so), then run hd with no arguments


	Please MFC it to RELENG-4 too

--- usr.bin/hexdump/parse.c.ORIG	Sun Aug  8 21:12:10 2004
+++ usr.bin/hexdump/parse.c	Mon Aug  7 13:41:57 2006
@@ -394,7 +394,7 @@
 			savech = *p2;
 			p1[0] = '\0';
-			if ((pr->fmt = calloc(1, strlen(fmtp) + 2)) == NULL)
+			if ((pr->fmt = calloc(1, strlen(fmtp) + 3)) == NULL)
 				err(1, NULL);
 			(void)strcpy(pr->fmt, fmtp);
 			(void)strcat(pr->fmt, cs);

More information about the freebsd-bugs mailing list