[2973] in Kerberos-V5-bugs
pending/635: radix_encode overruns buffer
daemon@ATHENA.MIT.EDU (eichin@thok.org)
Thu Sep 24 17:52:19 1998
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: gnats-admin@rt-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, eichin@thok.org
Date: 24 Sep 1998 17:45:16 -0400
From: eichin@thok.org
To: krb5-bugs@MIT.EDU
>Number: 635
>Category: pending
>Synopsis: radix_encode overruns buffer
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: gnats-admin
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Sep 24 17:46:01 EDT 1998
>Last-Modified:
>Originator: Mark Eichin <eichin@thok.org>
>Organization:
The Herd Of Kittens
>Release: current-19980924
>Environment:
source by inspection
>Description:
radix_encode will write a 0 byte past the end of the content it
is decoding if the length of the original is not == 0 mod 3.
>How-To-Repeat:
use radix_encode with electric-fence or other vicious malloc,
and allocate outbuf to be the size you encoded on inbuf, for encoded
strings whose length is not divisible by 3.
>Fix:
c is already available as the accumulator from the encode half of the
function; just use it instead of the "next" byte.
Index: radix.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/appl/gssftp/ftp/radix.c,v
retrieving revision 1.2
diff -u -p -r1.2 radix.c
--- radix.c 1998/05/06 20:01:28 1.2
+++ radix.c 1998/09/24 21:24:16
@@ -21,18 +21,18 @@ int *len, decode;
D = p - radixN;
switch (i&3) {
case 0:
- outbuf[j] = D<<2;
+ c = D<<2;
break;
case 1:
- outbuf[j++] |= D>>4;
- outbuf[j] = (D&15)<<4;
+ outbuf[j++] = c | D>>4;
+ c = (D&15)<<4;
break;
case 2:
- outbuf[j++] |= D>>2;
- outbuf[j] = (D&3)<<6;
+ outbuf[j++] = c | D>>2;
+ c = (D&3)<<6;
break;
case 3:
- outbuf[j++] |= D;
+ outbuf[j++] = c | D;
}
}
switch (i&3) {
>Audit-Trail:
>Unformatted:
