tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

bozo: out-of-bound index

a bug I spotted some weeks ago:

------------------ libexec/httpd/auth-bozo.c l.139 ------------------
base64_decode(const unsigned char *in, size_t ilen, unsigned char *out,
	      size_t olen)
	unsigned char *cp;
	size_t	 i;

	cp = out;
	for (i = 0; i < ilen; i += 4) {
	while (in[i - 1] == '=')
	return (cp - out);

Here, if ilen=0, 'in' will be accessed at -1. It seems to be
triggerable, since both 'ilen' and 'in' are extracted from received

However it is harmless: it is called by bozo_auth_check_headers(),
and these two variables are sanitized in bozohttpd.c in such a way
that in[-1] is always a valid memory area, always set to ' '.

Still this is fragile.

Home | Main Index | Thread Index | Old Index