re: bozo: out-of-bound index

To: Maxime Villard <max%M00nBSD.net@localhost>
Subject: re: bozo: out-of-bound index
From: matthew green <mrg%eterna.com.au@localhost>
Date: Sat, 27 Dec 2014 06:52:03 +1100

Maxime Villard writes:
> Hi,
> a bug I spotted some weeks ago:
> 
> ------------------ libexec/httpd/auth-bozo.c l.139 ------------------
> base64_decode(const unsigned char *in, size_t ilen, unsigned char *out,
> 	      size_t olen)
> {
> 	unsigned char *cp;
> 	size_t	 i;
> 
> 	cp = out;
> 	for (i = 0; i < ilen; i += 4) {
> 		...
> 	}
> 	while (in[i - 1] == '=')
> 		cp--,i--;
> 	return (cp - out);
> }
> ---------------------------------------------------------------------
> 
> Here, if ilen=0, 'in' will be accessed at -1. It seems to be
> triggerable, since both 'ilen' and 'in' are extracted from received
> data.
> 
> However it is harmless: it is called by bozo_auth_check_headers(),
> and these two variables are sanitized in bozohttpd.c in such a way
> that in[-1] is always a valid memory area, always set to ' '.
> 
> Still this is fragile.

thanks.  i've commited a fix.


.mrg.

References:
- bozo: out-of-bound index
  - From: Maxime Villard

Prev by Date: Re: if_wm between netbsd-6 and netbsd-7 issue
Next by Date: OpenZFS?
Previous by Thread: bozo: out-of-bound index
Next by Thread: Tru64 AdvFS porting to NetBSD - 4. status 2014-12-25
Indexes:

Home | Main Index | Thread Index | Old Index