Date: Thu, 6 Aug 2009 11:55:04 GMT From: Jonathan Bokovza <onatan@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: bin/137484: Integer overflow in wpa_supplicant base64 encoder Message-ID: <200908061155.n76Bt4vb015981@www.freebsd.org> Resent-Message-ID: <200908061200.n76C0IPC029374@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 137484
>Category: bin
>Synopsis: Integer overflow in wpa_supplicant base64 encoder
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Aug 06 12:00:18 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Jonathan Bokovza
>Release: 7.2
>Organization:
Afarsec
>Environment:
FreeBSD hmmm.mmmm.com 7.2-STABLE FreeBSD 7.2-STABLE #24: Fri Jun 12 16:21:06 IDT 2009 root@hmmmm.mmmm.com:/usr/obj/usr/src/sys/KERN i386
>Description:
from src/contrib/wpa_supplicant/base64.c :
unsigned char * base64_encode(const unsigned char *src, size_t len,
size_t *out_len)
{
unsigned char *out, *pos;
const unsigned char *end, *in;
size_t olen;
int line_len;
olen = len * 4 / 3 + 4; /* 3-byte blocks to 4-byte */
olen += olen / 72; /* line feeds */
olen++; /* nul termination */
out = os_malloc(olen);
if (out == NULL)
return NULL;
If len is large enough then olen will wrap and malloc will allocate too little memory. This might be a security issue.
>How-To-Repeat:
N/A
>Fix:
olen++; /* nul termination */
if (olen < len)
return NULL;
out = os_malloc(olen);
if (out == NULL)
return NULL;
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200908061155.n76Bt4vb015981>