'junkbuster buffer overflow fix for ports -current'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-bugs
Subject:    junkbuster buffer overflow fix for ports -current
From:       "Kenneth J. Hendrickson" <Kenneth.Hendrickson () Home ! com>
Date:       2001-12-29 21:25:24
[Download RAW message or body]

Fix provided; Commit requested.

>Submitter-Id:	net
>Originator:	Kenneth J. Hendrickson
>Organization:	net
>Confidential:	no
>Synopsis:	junkbuster buffer overflow; dumping core
>Severity:	non-critical
>Priority:	medium
>Category:	ports
>Class:		sw-bug
>Release:	$OpenBSD: patch-encode_c,v 1.2 2001/06/09 02:36:48 angelos Exp $
>Environment:
	System      : OpenBSD 3.0
	Architecture: OpenBSD.i386
	Machine     : i386
>Description:
	The length of a buffer is incorrectly calculated.

	/usr/ports/www/junkbuster/w-junkbuster-2.0.2/ijb20/encode.c:82

	The length is calculated by incorrectly starting at the second
	character in a string; this fails when the string has length 1.
	It fails in a far worse way when the string has length 0.

	When the buffer is used (encode.c:93), a core dump occurs.

	This bug affects ONLY the OpenBSD patched version of junkbuster,
	version 2.0.2; no other versions of junkbuster are affected.

	Note: I have not done a full OpenBSD-style audit of the
	junkbuster source, so more such bugs may still remain.

>How-To-Repeat:
	The bad input is a string "\n" sent to the second parameter s
	of the function url_encode() in file encode.c.

	The length of the buffer needed is incorrectly calculated as 0
	at line encode.c:82.  When the buffer is later used at line
	encode.c:93, junkbuster will dump core.

	I can send the configuration files that cause the core dump in
	the buggy version, if needed by anybody.  (This probably isn't
	needed, as both the bug and fix are obvious.)

>Fix:
	patch /usr/ports/www/junkbuster/patches/patch-encode_c
	with the following patch-encode_c.diff file (included).

	pkg_delete junkbuster-2.0.2

	cd /usr/ports/www/junkbuster
	make clean && make && make install

>Patch:
	Here is the patch-encode_c.diff file:

*** patch-encode_c.orig	Fri Jun  8 19:36:48 2001
--- patch-encode_c	Sat Dec 29 12:51:14 2001
***************
*** 35,41 ****
   
   	/* each input char can expand to at most 6 chars */
  -	buf = zalloc((strlen((char *) s) + 1) * 6);
! +	len = strlen((char *) s + 1) * 6;
  +	if ((buf = zalloc(len)) == NULL) {
  +	   fprintf(stderr, "%s:%d malloc failed\n", __FILE__, __LINE__);
  +	   exit(-1);
--- 35,41 ----
   
   	/* each input char can expand to at most 6 chars */
  -	buf = zalloc((strlen((char *) s) + 1) * 6);
! +	len = (strlen((char *) s) + 1) * 6;
  +	if ((buf = zalloc(len)) == NULL) {
  +	   fprintf(stderr, "%s:%d malloc failed\n", __FILE__, __LINE__);
  +	   exit(-1);

-- 
PGP Key Fingerprint    02 6A 4F DE DD 77 A1 8B   21 D9 81 EB ED C8 3A DC
We are upping our standards ... so up yours.        Ken Hendrickson N8KH

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic