[Bug 206178] Out-of-bounds read in wcslcat(3)

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Jan 12 22:43:51 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206178

            Bug ID: 206178
           Summary: Out-of-bounds read in wcslcat(3)
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: cherepan at mccme.ru

Created attachment 165469
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=165469&action=edit
Patch

The wcslcat function could read several bytes behind the end of its input
buffer. This could lead to a crash if the buffer happens to immediately precede
an unmapped page (or when dst=NULL and n=0).

The strlcat function[1] and, hence[2], wcslcat function are documented to work
with the destination buffer not containing NUL. In this case FreeBSD
implementation of wcslcat will read one extra wide char. The code[3] for
traversing the destination array:

56              /* Find the end of dst and adjust bytes left but don't go past
end */
57              while (*d != '\0' && n-- != 0)
58                      d++;

"n-- != 0" in the loop controlling expression makes sure that the loop is
terminated after n chars are examined but the dereference in "*d != '\0'"
happens before the "n" check. For example, there would be one dereference when
n=0.
In particular, wcslcat(NULL, L"", 0) will crash. A crashing testcase with
non-null dst is attached.

To fix it, it's enough to swap the checks in the while loop (patch attached).
Or all the code could be changed to match strlcat.

The issue has security consequences but the function is rarely used so severity
seems very low.

Other BSDs are affected except for OpenBSD which fixed it in [4].

The issue is similar to [5].

[1]
https://svnweb.freebsd.org/base/head/lib/libc/string/strlcpy.3?revision=257720&view=markup#l86
[2]
https://svnweb.freebsd.org/base/head/lib/libc/string/wmemchr.3?revision=251069&view=markup
[3]
https://svnweb.freebsd.org/base/head/lib/libc/string/wcslcat.c?revision=188080&view=markup#l56
[4]
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/string/wcslcat.c?rev=1.4&content-type=text/x-cvsweb-markup
[5] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206177

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list