From karl@Codebase.mcs.net  Tue Oct  7 13:35:32 1997
Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id NAA21099
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 7 Oct 1997 13:35:31 -0700 (PDT)
          (envelope-from karl@Codebase.mcs.net)
Received: from Codebase.mcs.net (codebase.mcs.net [192.160.127.89]) by Kitten.mcs.com (8.8.5/8.8.2) with ESMTP id PAA22851 for <FreeBSD-gnats-submit@freebsd.org>; Tue, 7 Oct 1997 15:35:31 -0500 (CDT)
Received: (from root@localhost) by Codebase.mcs.net (8.8.7/8.8.2) id PAA15733; Tue, 7 Oct 1997 15:35:30 -0500 (CDT)
Message-Id: <199710072035.PAA15733@Codebase.mcs.net>
Date: Tue, 7 Oct 1997 15:35:30 -0500 (CDT)
From: karl@mcs.net
Reply-To: karl@mcs.net
To: FreeBSD-gnats-submit@freebsd.org
Subject: Serious bug in the libdes library (under secure)
X-Send-Pr-Version: 3.2

>Number:         4722
>Category:       misc
>Synopsis:       enc_writ.c has a missing "static" declaration
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    markm
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct  7 13:40:00 PDT 1997
>Closed-Date:    Wed Oct 8 00:09:14 PDT 1997
>Last-Modified:  Wed Oct  8 00:20:50 PDT 1997
>Originator:     Karl Denninger
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
MCSNet
>Environment:

	All 2.2 and later versions

>Description:

	The module enc_writ.c in /usr/src/secure/lib/libdes is missing a 
	"static" declaration for a buffer.  This causes a buffer to be
	continually malloc(3)d on each invocation, eventually leading to
	memory exhaustion (it should only be malloc'd once) since the space
	is never free(3)d and the intent is to grab heap on start-up and
	keep it for the duration of the execution of the program.

	Alternatively, if you're unlucky and the stack area you're pointing
	to is not initialized to zeros on each call, you get random results 
	which could be far worse and lead to segmentation violations or
	corrupted data.

	This code has not been touched in a LONG time; we knew of a problem
	quite some time ago, but weren't quite sure what was going on until
	recently when it became important to run down.

>How-To-Repeat:

	Any code which calls des_enc_write() a sufficient number of times
	will eventually experience this problem.  The symptom is that
	des_enc_write() will eventually return an error (-1) with errno 
	set to 12 (ENOMEM).  

>Fix:
	
Index: enc_writ.c
===================================================================
RCS file: /usr/cvs/src/secure/lib/libdes/enc_writ.c,v
retrieving revision 1.1.1.2
diff -r1.1.1.2 enc_writ.c
68c68
< 	char *outbuf=NULL;
---
> 	static	char *outbuf=NULL;


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: markm 
State-Changed-When: Wed Oct 8 00:09:14 PDT 1997 
State-Changed-Why:  
Patch applied. Thanks! 

(Please give patches in unified or context format in the future. Thanks!) 


Responsible-Changed-From-To: freebsd-bugs->markm-bugs 
Responsible-Changed-By: markm 
Responsible-Changed-When: Wed Oct 8 00:09:14 PDT 1997 
Responsible-Changed-Why:  
libdes is my area. 
Responsible-Changed-From-To: markm-bugs->markm 
Responsible-Changed-By: markm 
Responsible-Changed-When: Wed Oct 8 00:20:01 PDT 1997 
Responsible-Changed-Why:  
I messed up the responsibble: name. Sorry. 
>Unformatted:
