bin/137484: Integer overflow in wpa_supplicant base64 encoder
Jonathan Bokovza
onatan at gmail.com
Thu Aug 6 12:00:19 UTC 2009
>Number: 137484
>Category: bin
>Synopsis: Integer overflow in wpa_supplicant base64 encoder
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Aug 06 12:00:18 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Jonathan Bokovza
>Release: 7.2
>Organization:
Afarsec
>Environment:
FreeBSD hmmm.mmmm.com 7.2-STABLE FreeBSD 7.2-STABLE #24: Fri Jun 12 16:21:06 IDT 2009 root at hmmmm.mmmm.com:/usr/obj/usr/src/sys/KERN i386
>Description:
from src/contrib/wpa_supplicant/base64.c :
unsigned char * base64_encode(const unsigned char *src, size_t len,
size_t *out_len)
{
unsigned char *out, *pos;
const unsigned char *end, *in;
size_t olen;
int line_len;
olen = len * 4 / 3 + 4; /* 3-byte blocks to 4-byte */
olen += olen / 72; /* line feeds */
olen++; /* nul termination */
out = os_malloc(olen);
if (out == NULL)
return NULL;
If len is large enough then olen will wrap and malloc will allocate too little memory. This might be a security issue.
>How-To-Repeat:
N/A
>Fix:
olen++; /* nul termination */
if (olen < len)
return NULL;
out = os_malloc(olen);
if (out == NULL)
return NULL;
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list