bozo: out-of-bound index

To: tech-kern%NetBSD.org@localhost
Subject: bozo: out-of-bound index
From: Maxime Villard <max%M00nBSD.net@localhost>
Date: Thu, 25 Dec 2014 22:02:04 +0100

Hi,
a bug I spotted some weeks ago:

------------------ libexec/httpd/auth-bozo.c l.139 ------------------
base64_decode(const unsigned char *in, size_t ilen, unsigned char *out,
	      size_t olen)
{
	unsigned char *cp;
	size_t	 i;

	cp = out;
	for (i = 0; i < ilen; i += 4) {
		...
	}
	while (in[i - 1] == '=')
		cp--,i--;
	return (cp - out);
}
---------------------------------------------------------------------

Here, if ilen=0, 'in' will be accessed at -1. It seems to be
triggerable, since both 'ilen' and 'in' are extracted from received
data.

However it is harmless: it is called by bozo_auth_check_headers(),
and these two variables are sanitized in bozohttpd.c in such a way
that in[-1] is always a valid memory area, always set to ' '.

Still this is fragile.

Follow-Ups:
- re: bozo: out-of-bound index
  - From: matthew green

Prev by Date: Re: pserialize & hw interrupt
Next by Date: Tru64 AdvFS porting to NetBSD - 4. status 2014-12-25
Previous by Thread: sys/clock.h finalization
Next by Thread: re: bozo: out-of-bound index
Indexes:

Home | Main Index | Thread Index | Old Index