From nobody@FreeBSD.org  Thu Aug  5 08:31:11 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EA50216A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  5 Aug 2004 08:31:11 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DA70743D3F
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  5 Aug 2004 08:31:11 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i758VBpx095584
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 5 Aug 2004 08:31:11 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i758VBjM095582;
	Thu, 5 Aug 2004 08:31:11 GMT
	(envelope-from nobody)
Message-Id: <200408050831.i758VBjM095582@www.freebsd.org>
Date: Thu, 5 Aug 2004 08:31:11 GMT
From: Herve Masson <herve-bsdbt@mindstep.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: libfetch uses bad computation leading to memory overflow
X-Send-Pr-Version: www-2.3

>Number:         70022
>Category:       misc
>Synopsis:       libfetch uses bad computation leading to memory overflow
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 05 08:40:18 GMT 2004
>Closed-Date:    Tue Aug 10 01:09:23 GMT 2004
>Last-Modified:  Tue Aug 10 01:09:23 GMT 2004
>Originator:     Herve Masson
>Release:        zunobox server (www.netzuno.com) based on FreeBSD 4.9-RELEASE-p2
>Organization:
Mindstep Corp.
>Environment:
FreeBSD bytemill.montpellier.mindstep.com 4.9-RELEASE-p2 FreeBSD 4.9-RELEASE-p2 #0: Thu Mar  4 16:35:01 GMT 2004     root@bytemill.montpellier.mindstep.com:/tmp/bsdobjs/usr/src/sys/ZUNOBOX_DEV  i386
>Description:
The base64 encoding code as provided in http.c [function _http_base64()] uses the following expression to allocate memory for encoded version of the given string:

    if ((str = malloc(((l + 2) / 3) * 4)) == NULL)

This number does not include space for the terminating \0 byte, which is later inserted in the function. As a consequence, the first byte outside the allocated region is zeroed.
>How-To-Repeat:
I have never had a problem using command line programs on my BSD system; I noticed it when I ported this code on Windows, which has the memory overflow detection turned on in debug mode.
>Fix:
Use the following math:

if ((str = malloc(1+((l + 2) / 3) * 4)) == NULL)
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: simon 
Responsible-Changed-When: Thu Aug 5 10:04:44 GMT 2004 
Responsible-Changed-Why:  
Over to libfetch maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=70022 
State-Changed-From-To: open->patched 
State-Changed-By: des 
State-Changed-When: Sat Aug 7 20:24:07 GMT 2004 
State-Changed-Why:  
Fixed in HEAD, MFC in three days. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=70022 
State-Changed-From-To: patched->closed 
State-Changed-By: des 
State-Changed-When: Tue Aug 10 01:09:21 GMT 2004 
State-Changed-Why:  
MFCed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=70022 
>Unformatted:
