From archie@whistle.com  Fri May 19 10:40:47 2000
Return-Path: <archie@whistle.com>
Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7])
	by hub.freebsd.org (Postfix) with ESMTP id 6842B37BAAD
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 19 May 2000 10:40:46 -0700 (PDT)
	(envelope-from archie@whistle.com)
Received: (from archie@localhost)
	by bubba.whistle.com (8.9.3/8.9.2) id KAA41091;
	Fri, 19 May 2000 10:40:46 -0700 (PDT)
Message-Id: <200005191740.KAA41091@bubba.whistle.com>
Date: Fri, 19 May 2000 10:40:46 -0700 (PDT)
From: Archie Cobbs <archie@whistle.com>
Reply-To: archie@whistle.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: Bug in libz
X-Send-Pr-Version: 3.2

>Number:         18678
>Category:       bin
>Synopsis:       Bug in libz
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri May 19 10:50:01 PDT 2000
>Closed-Date:    Mon Aug 23 10:33:17 GMT 2004
>Last-Modified:  Mon Aug 23 10:33:17 GMT 2004
>Originator:     Archie Cobbs
>Release:        FreeBSD 3.4-RELEASE i386
>Organization:
Whistle Communications, Inc.
>Environment:

	All versions of FreeBSD

>Description:

	[I rec'd this email on the ietf-ppp mailing list and copy it here]

> From owner-ietf-ppp-outgoing@merit.edu Fri May 19 07:25:39 2000
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> Message-ID: <14629.20138.903736.299605@gargle.gargle.HOWL>
> Date: Fri, 19 May 2000 10:24:42 -0400 (EDT)
> From: James Carlson <james.d.carlson@east.sun.com>
> To: pppext <ietf-ppp@merit.edu>
> Subject: RFC 1979 Deflate / zlib warning
> X-Mailer: VM 6.75 under Emacs 20.6.1
> Sender: owner-ietf-ppp@merit.edu
> Precedence: bulk
> Errors-To: owner-ietf-ppp-outgoing@merit.edu
> Status: RO
> 
> I've found a potentially serious bug in all popular versions of zlib
> (0.99, 1.0.4, and the latest 1.1.3) by Jean-loup Gailly and Mark
> Adler.  This library is used to implement RFC 1979 Deflate
> compression.
> 
> The short version:
> 
> 	If the deflate window size is set to 8, zlib will corrupt
> 	memory and (depending on your implementation) cause a kernel
> 	panic.  The recommended fix is to reply with Configure-Nak if
> 	the peer the Window parameter set to 0000 (size 8) in its
> 	Configure-Request and ignore Configure-Nak with Window set to
> 	0000.
> 
> The long version:
> 
> 	The problem is that s->strstart gets set to a very large
> 	positive integer when wsize (local copy of s->w_size) is
> 	subtracted in deflate.c:fill_window().  This happens because
> 	MAX_DIST(s) resolves as a negative number when the window size
> 	is 8 -- MAX_DIST(s) is defined as s->w_size-MIN_LOOKAHEAD in
> 	deflate.h.  MIN_LOOKAHEAD is MAX_MATCH+MIN_MATCH+1, and that
> 	is 258+3+1 or 262.  Since a window size of 8 gives s->w_size
> 	256, MAX_DIST(s) is 256-262 or -6.
> 
> 	This results in read_buf() writing over memory outside of
> 	s->window, and a crash.
> 
> 	I tried experimenting with the definition of MAX_MATCH,
> 	MAX_LOOKAHEAD, and MAX_DIST(s) using cargo-cult techniques
> 	without much success.  I was able to get deflate() (the
> 	compression call) to avoid crashing, but I rewarded with
> 	either "invalid stored block lengths" or "oversubscribed
> 	dynamic bit lengths tree" on calling inflate() on the
> 	resulting compressed data, and I wasn't able to fix this.
> 
> Patches:
> 
> 	I've posted patches for ANU PPP and a short example program
> 	that crashes zlib to my Sun web site:
> 
> 		http://playground.sun.com/~carlsonj/
> 
> -- 
> James Carlson, Internet Engineering       <james.d.carlson@east.sun.com>
> SUN Microsystems / 1 Network Drive         71.234W   Vox +1 781 442 2084
> MS UBUR02-212 / Burlington MA 01803-2757   42.497N   Fax +1 781 442 1677
> "PPP Design and Debugging" --- http://people.ne.mediaone.net/carlson/ppp


>How-To-Repeat:

	See http://playground.sun.com/~carlsonj/

>Fix:
	
	See http://playground.sun.com/~carlsonj/


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: mike 
State-Changed-When: Sat Jul 21 19:37:37 PDT 2001 
State-Changed-Why:  

Does this problem still occur in newer versions of FreeBSD, 
such as 4.3-RELEASE? 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=18678 

From: Mike Barcroft <mike@FreeBSD.org>
To: Archie Cobbs <archie@dellroad.org>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/18678: Bug in libz
Date: Mon, 23 Jul 2001 00:48:37 -0400

 On Sun, Jul 22, 2001 at 09:34:39PM -0500, Archie Cobbs wrote:
 > mike@FreeBSD.org writes:
 > > Synopsis: Bug in libz
 > > 
 > > State-Changed-From-To: open->feedback
 > > State-Changed-By: mike
 > > State-Changed-When: Sat Jul 21 19:37:37 PDT 2001
 > > State-Changed-Why: 
 > > 
 > > Does this problem still occur in newer versions of FreeBSD,
 > > such as 4.3-RELEASE?
 > > 
 > > http://www.FreeBSD.org/cgi/query-pr.cgi?pr=18678
 > 
 > Yes, because FreeBSD is using version 1.1.3. See the URL
 > mentioned in the PR for more information:
 > 
 >     http://playground.sun.com/~carlsonj/
 
 I see.  What was the response from the vendor?
 
 Best regards,
 Mike Barcroft

From: Mike Barcroft <mike@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/18678: Bug in libz
Date: Wed, 1 Aug 2001 23:31:54 -0400

 Adding to Audit-Trail.
 
 ----- Forwarded message from Archie Cobbs <archie@dellroad.org> -----
 
 Delivered-To: mike@freebsd.org
 From: Archie Cobbs <archie@dellroad.org>
 Subject: Re: bin/18678: Bug in libz
 In-Reply-To: <20010723004837.A70468@coffee.q9media.com> "from Mike Barcroft at
  Jul 23, 2001 00:48:37 am"
 To: Mike Barcroft <mike@FreeBSD.org>
 Date: Sat, 28 Jul 2001 21:49:26 -0500 (CDT)
 X-Mailer: ELM [version 2.4ME+ PL82 (25)]
 
 Mike Barcroft writes:
 > On Sun, Jul 22, 2001 at 09:34:39PM -0500, Archie Cobbs wrote:
 > > mike@FreeBSD.org writes:
 > > > Synopsis: Bug in libz
 > > > 
 > > > State-Changed-From-To: open->feedback
 > > > State-Changed-By: mike
 > > > State-Changed-When: Sat Jul 21 19:37:37 PDT 2001
 > > > State-Changed-Why: 
 > > > 
 > > > Does this problem still occur in newer versions of FreeBSD,
 > > > such as 4.3-RELEASE?
 > > > 
 > > > http://www.FreeBSD.org/cgi/query-pr.cgi?pr=18678
 > > 
 > > Yes, because FreeBSD is using version 1.1.3. See the URL
 > > mentioned in the PR for more information:
 > > 
 > >     http://playground.sun.com/~carlsonj/
 > 
 > I see.  What was the response from the vendor?
 
 Never heard one (but I didn't pursue it myself very much).
 
 -Archie
 
 __________________________________________________________________________
 Archie Cobbs     *     Packet Design     *     http://www.packetdesign.com
 
 ----- End forwarded message -----
State-Changed-From-To: feedback->analyzed 
State-Changed-By: mike 
State-Changed-When: Wed Aug 1 20:24:07 PDT 2001 
State-Changed-Why:  

This is still a problem. 


Responsible-Changed-From-To: freebsd-bugs->peter 
Responsible-Changed-By: mike 
Responsible-Changed-When: Wed Aug 1 20:24:07 PDT 2001 
Responsible-Changed-Why:  

Over to the maintainer of libz. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=18678 

From: Archie Cobbs <archie@packetdesign.com>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/18678: Bug in libz
Date: Thu, 30 May 2002 13:14:41 -0700

 Below is the test program copied here for your convenience.
 
   "You can demonstrate the problem for yourself with this test program.
    If TEST_WINDOW is set to 8, it crashes, but 9 to 15 works."
 
 FYI, The bug still exists in FreeBSD 4.5-REL.
 
 -Archie
 
 ___________________________________________________________________________
 Archie Cobbs    *    Packet Design, Inc.   *    http://www.packetdesign.com
 
 #include <stdio.h>
 #include <stdlib.h>
 #include "zconf.h"
 #include "zlib.h"
 
 /* cc -o zlib-bug -Wall zlib-bug.c -lz */
 
 #define TEST_WINDOW	8
 
 struct zchunk {
 	unsigned	size;
 	unsigned	guard;
 };
 
 #define	GUARD_MAGIC	0x77a6011a
 
 static char quickbrown[] =
 "The quick brown fox jumped over the lazy dog's back.";
 
 static char tempbuf[1024],tempbuf2[1024];
 
 static void *
 z_alloc(void *notused, unsigned items, unsigned size)
 {
 	struct zchunk	*z;
 
 	size = items * size + sizeof (struct zchunk);
 
 	z = (struct zchunk *)malloc(size);
 
 	z->size = size;
 	z->guard = GUARD_MAGIC;
 
 	return ((void *)(z + 1));
 }
 
 static void
 z_free(void *notused, void *ptr)
 {
 	struct zchunk	*z = ((struct zchunk *)ptr) - 1;
 
 	if (z->guard != GUARD_MAGIC) {
 		fprintf(stderr,"z_free of corrupted chunk at 0x%p (%x, %x)\n",
 		    (void *)z, z->size, z->guard);
 		return;
 	}
 	free(z);
 }
 
 z_stream compr,decompr;
 
 int
 main(int argc, char **argv)
 {
 	int retv;
 
 	compr.next_in = NULL;
 	compr.zalloc = z_alloc;
 	compr.zfree = z_free;
 	if (deflateInit2(&compr, Z_DEFAULT_COMPRESSION, 8, TEST_WINDOW, 8,
 	    Z_DEFAULT_STRATEGY) != Z_OK) {
 		fprintf(stderr,"Compress set-up failed.\n");
 		exit(1);
 	}
 	deflateReset(&compr);
 	decompr.next_out = NULL;
 	decompr.zalloc = z_alloc;
 	decompr.zfree = z_free;
 	if (inflateInit2(&decompr, TEST_WINDOW) != Z_OK) {
 		fprintf(stderr,"Decompress set-up failed.\n");
 		exit(1);
 	}
 	inflateReset(&decompr);
 
 	for (;;) {
 		fputc('.',stderr);
 		compr.next_in = quickbrown;
 		compr.avail_in = sizeof(quickbrown);
 		compr.next_out = tempbuf;
 		compr.avail_out = sizeof(tempbuf);
 		retv = deflate(&compr,Z_NO_FLUSH);
 		if (retv != Z_OK) {
 			fprintf(stderr,"Compression failed %s\n",
 			    compr.msg?compr.msg:"");
 			exit(1);
 		}
 		if (compr.avail_out != sizeof(tempbuf)) {
 			decompr.next_in = tempbuf;
 			decompr.avail_in = sizeof(tempbuf)-compr.avail_out;
 			decompr.next_out = tempbuf2;
 			decompr.avail_out = sizeof(tempbuf2);
 			retv = inflate(&decompr,Z_NO_FLUSH);
 			if (retv != Z_OK) {
 				fprintf(stderr,"Decompression failed %s\n",
 				    decompr.msg?decompr.msg:"");
 				exit(1);
 			}
 		}
 	}
 }
Responsible-Changed-From-To: peter->freebsd-bugs 
Responsible-Changed-By: peter 
Responsible-Changed-When: Mon Mar 29 11:17:14 PST 2004 
Responsible-Changed-Why:  
Return neglected PR to the pool 

http://www.freebsd.org/cgi/query-pr.cgi?pr=18678 
State-Changed-From-To: analyzed->closed 
State-Changed-By: tjr 
State-Changed-When: Mon Aug 23 10:30:03 GMT 2004 
State-Changed-Why:  
This has been fixed (for some definition of the word) in zlib 1.1.4; 
all supported branches now use zlib 1.1.4 or newer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=18678 
>Unformatted:
