Date: Thu, 6 Aug 2009 11:55:04 GMT From: Jonathan Bokovza <onatan@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: bin/137484: Integer overflow in wpa_supplicant base64 encoder Message-ID: <200908061155.n76Bt4vb015981@www.freebsd.org> Resent-Message-ID: <200908061200.n76C0IPC029374@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 137484 >Category: bin >Synopsis: Integer overflow in wpa_supplicant base64 encoder >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Aug 06 12:00:18 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Jonathan Bokovza >Release: 7.2 >Organization: Afarsec >Environment: FreeBSD hmmm.mmmm.com 7.2-STABLE FreeBSD 7.2-STABLE #24: Fri Jun 12 16:21:06 IDT 2009 root@hmmmm.mmmm.com:/usr/obj/usr/src/sys/KERN i386 >Description: from src/contrib/wpa_supplicant/base64.c : unsigned char * base64_encode(const unsigned char *src, size_t len, size_t *out_len) { unsigned char *out, *pos; const unsigned char *end, *in; size_t olen; int line_len; olen = len * 4 / 3 + 4; /* 3-byte blocks to 4-byte */ olen += olen / 72; /* line feeds */ olen++; /* nul termination */ out = os_malloc(olen); if (out == NULL) return NULL; If len is large enough then olen will wrap and malloc will allocate too little memory. This might be a security issue. >How-To-Repeat: N/A >Fix: olen++; /* nul termination */ if (olen < len) return NULL; out = os_malloc(olen); if (out == NULL) return NULL; >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200908061155.n76Bt4vb015981>