[Bug 206178] Out-of-bounds read in wcslcat(3)
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Jan 12 22:43:51 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206178
Bug ID: 206178
Summary: Out-of-bounds read in wcslcat(3)
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: freebsd-bugs at FreeBSD.org
Reporter: cherepan at mccme.ru
Created attachment 165469
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=165469&action=edit
Patch
The wcslcat function could read several bytes behind the end of its input
buffer. This could lead to a crash if the buffer happens to immediately precede
an unmapped page (or when dst=NULL and n=0).
The strlcat function[1] and, hence[2], wcslcat function are documented to work
with the destination buffer not containing NUL. In this case FreeBSD
implementation of wcslcat will read one extra wide char. The code[3] for
traversing the destination array:
56 /* Find the end of dst and adjust bytes left but don't go past
end */
57 while (*d != '\0' && n-- != 0)
58 d++;
"n-- != 0" in the loop controlling expression makes sure that the loop is
terminated after n chars are examined but the dereference in "*d != '\0'"
happens before the "n" check. For example, there would be one dereference when
n=0.
In particular, wcslcat(NULL, L"", 0) will crash. A crashing testcase with
non-null dst is attached.
To fix it, it's enough to swap the checks in the while loop (patch attached).
Or all the code could be changed to match strlcat.
The issue has security consequences but the function is rarely used so severity
seems very low.
Other BSDs are affected except for OpenBSD which fixed it in [4].
The issue is similar to [5].
[1]
https://svnweb.freebsd.org/base/head/lib/libc/string/strlcpy.3?revision=257720&view=markup#l86
[2]
https://svnweb.freebsd.org/base/head/lib/libc/string/wmemchr.3?revision=251069&view=markup
[3]
https://svnweb.freebsd.org/base/head/lib/libc/string/wcslcat.c?revision=188080&view=markup#l56
[4]
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/string/wcslcat.c?rev=1.4&content-type=text/x-cvsweb-markup
[5] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206177
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list