From tim@robbins.dropbear.id.au  Wed Oct 31 15:59:04 2001
Return-Path: <tim@robbins.dropbear.id.au>
Received: from mango.robbins.dropbear.id.au (007.a.006.mel.iprimus.net.au [210.50.44.7])
	by hub.freebsd.org (Postfix) with ESMTP id 9843037B405
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 31 Oct 2001 15:59:01 -0800 (PST)
Received: (from tim@localhost)
	by mango.robbins.dropbear.id.au (8.11.6/8.11.6) id f9VNqU724114;
	Thu, 1 Nov 2001 10:52:31 +1100 (EST)
	(envelope-from tim)
Message-Id: <200110312352.f9VNqU724114@mango.robbins.dropbear.id.au>
Date: Thu, 1 Nov 2001 10:52:31 +1100 (EST)
From: "Tim J. Robbins" <tim@robbins.dropbear.id.au>
Reply-To: "Tim J. Robbins" <tim@robbins.dropbear.id.au>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: converters/mpack heap buffer overflow in header parsing code
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         31676
>Category:       ports
>Synopsis:       converters/mpack heap buffer overflow in header parsing code
>Confidential:   no
>Severity:       critical
>Priority:       low
>Responsible:    ache
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 31 16:00:00 PST 2001
>Closed-Date:    Fri Nov 16 13:51:06 PST 2001
>Last-Modified:  Fri Nov 16 13:51:28 PST 2001
>Originator:     Tim J. Robbins
>Release:        FreeBSD 4.4-STABLE i386
>Organization:
>Environment:
System: FreeBSD mango.robbins.dropbear.id.au 4.4-STABLE FreeBSD 4.4-STABLE #2: Sat Sep 29 03:42:56 EST 2001 tim@mango.robbins.dropbear.id.au:/usr/obj/usr/src/sys/GENERIC i386
munpack 1.5 from converters/mpack in FreeBSD ports collection.

	
>Description:
The `left' variable, which counts the number of bytes left in the buffer,
is not updated properly when realloc() is called to increase the size of
the buffer.
>How-To-Repeat:
Cause a message with a Content-Disposition or parameter to another header
that exceeds 2*1024 characters in length to be unpacked with munpack.

2048 chars isn't enough to crash it although memory is overwritten at
that point - 1mb of chars does the trick.

>Fix:

The patch I had posted to the ports@FreeBSD.org mailing list earlier
was not correct. I believe this one is:

diff -ruN mpack-1.5/decode.c mpack/decode.c
--- mpack-1.5/decode.c	Fri Feb 17 08:39:44 1995
+++ mpack/decode.c	Thu Nov  1 10:40:23 2001
@@ -467,6 +467,7 @@
 	    if (!--left) {
 		alloced += VALUEGROWSIZE;
 		value = xrealloc(value, alloced);
+		left = VALUEGROWSIZE;
 		to = value + alloced - left - 2;
 	    }
 	    if (*from == '\\') {
@@ -483,6 +484,7 @@
 	    if (!--left) {
 		alloced += VALUEGROWSIZE;
 		value = xrealloc(value, alloced);
+		left = VALUEGROWSIZE;
 		to = value + alloced - left - 2;
 	    }
 	    *to++ = *from++;
@@ -572,6 +574,7 @@
 	    if (!--left) {
 		alloced += VALUEGROWSIZE;
 		value = xrealloc(value, alloced);
+		left = VALUEGROWSIZE;
 		to = value + alloced - left - 2;
 	    }
 	    if (*disposition == '\\') {
@@ -589,6 +592,7 @@
 	    if (!--left) {
 		alloced += VALUEGROWSIZE;
 		value = xrealloc(value, alloced);
+		left = VALUEGROWSIZE;
 		to = value + alloced - left - 2;
 	    }
 	    *to++ = *disposition++;
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports->ache 
Responsible-Changed-By: petef 
Responsible-Changed-When: Wed Oct 31 18:18:19 PST 2001 
Responsible-Changed-Why:  
over to maintainer 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=31676 
State-Changed-From-To: open->closed 
State-Changed-By: ache 
State-Changed-When: Fri Nov 16 13:51:06 PST 2001 
State-Changed-Why:  
Commited 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=31676 
>Unformatted:
