From nobody@FreeBSD.org  Thu Aug  6 11:55:04 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6D786106564A
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  6 Aug 2009 11:55:04 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 5C7038FC1F
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  6 Aug 2009 11:55:04 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n76Bt4Um015982
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 6 Aug 2009 11:55:04 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n76Bt4vb015981;
	Thu, 6 Aug 2009 11:55:04 GMT
	(envelope-from nobody)
Message-Id: <200908061155.n76Bt4vb015981@www.freebsd.org>
Date: Thu, 6 Aug 2009 11:55:04 GMT
From: Jonathan Bokovza <onatan@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Integer overflow in wpa_supplicant base64 encoder
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         137484
>Category:       bin
>Synopsis:       [patch] Integer overflow in wpa_supplicant(8) base64 encoder
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-wireless
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 06 12:00:18 UTC 2009
>Closed-Date:    Mon Apr 08 16:33:13 UTC 2013
>Last-Modified:  Mon Apr 08 16:33:13 UTC 2013
>Originator:     Jonathan Bokovza
>Release:        7.2
>Organization:
Afarsec
>Environment:
FreeBSD hmmm.mmmm.com 7.2-STABLE FreeBSD 7.2-STABLE #24: Fri Jun 12 16:21:06 IDT 2009     root@hmmmm.mmmm.com:/usr/obj/usr/src/sys/KERN  i386
>Description:
from src/contrib/wpa_supplicant/base64.c :

unsigned char * base64_encode(const unsigned char *src, size_t len,
                              size_t *out_len)
{
        unsigned char *out, *pos;
        const unsigned char *end, *in;
        size_t olen;
        int line_len;

        olen = len * 4 / 3 + 4; /* 3-byte blocks to 4-byte */
        olen += olen / 72; /* line feeds */
        olen++; /* nul termination */
        out = os_malloc(olen);
        if (out == NULL)
                return NULL;


If len is large enough then olen will wrap and malloc will allocate too little memory. This might be a security issue.

>How-To-Repeat:
N/A
>Fix:
        olen++; /* nul termination */
        if (olen < len)
                return NULL;
        out = os_malloc(olen);
        if (out == NULL)
                return NULL;


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Aug 6 22:28:46 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=137484 
Responsible-Changed-From-To: freebsd-net->freebsd-wireless 
Responsible-Changed-By: eadler 
Responsible-Changed-When: Sun May 1 19:49:12 UTC 2011 
Responsible-Changed-Why:  
New mailing list owns this one 

http://www.freebsd.org/cgi/query-pr.cgi?pr=137484 
State-Changed-From-To: open->patched 
State-Changed-By: eadler 
State-Changed-When: Sun May 1 19:55:52 UTC 2011 
State-Changed-Why:  
the file referenced does not exist on head and the issue appears to be 
fixed in both head and 8-stable. The problem still exists on 7.x 

http://www.freebsd.org/cgi/query-pr.cgi?pr=137484 
State-Changed-From-To: patched->closed 
State-Changed-By: eadler 
State-Changed-When: Mon Apr 8 16:33:12 UTC 2013 
State-Changed-Why:  
issue fixed in all supported sytems;  closed per emaste request 

http://www.freebsd.org/cgi/query-pr.cgi?pr=137484 
>Unformatted:
