From eichin@arepa.com Thu Sep 24 17:45:26 1998 Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id RAA13161 for ; Thu, 24 Sep 1998 17:45:22 -0400 Received: from arepa.arepa.com by MIT.EDU with SMTP id AA01290; Thu, 24 Sep 98 17:45:16 EDT Received: from noraneko.arepa.com (maneki-neko.arepa.com [209.21.177.131]) by arepa.com (8.8.5/8.8.5) with ESMTP id RAA21883; Thu, 24 Sep 1998 17:45:18 -0400 Received: by arepa.com via sendmail from stdin id (Debian Smail3.2.0.101) for krb5-bugs@mit.edu; Thu, 24 Sep 1998 17:45:16 -0400 (EDT) Message-Id: Date: 24 Sep 1998 17:45:16 -0400 From: eichin@thok.org To: krb5-bugs@MIT.EDU Subject: radix_encode overruns buffer X-Send-Pr-Version: 3.99 >Number: 635 >Category: pending >Synopsis: radix_encode overruns buffer >Confidential: no >Severity: non-critical >Priority: low >Responsible: gnats-admin >State: closed >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Thu Sep 24 17:46:01 EDT 1998 >Last-Modified: Thu Apr 4 17:18:06 EST 2002 >Originator: Mark Eichin >Organization: The Herd Of Kittens >Release: current-19980924 >Environment: source by inspection >Description: radix_encode will write a 0 byte past the end of the content it is decoding if the length of the original is not == 0 mod 3. >How-To-Repeat: use radix_encode with electric-fence or other vicious malloc, and allocate outbuf to be the size you encoded on inbuf, for encoded strings whose length is not divisible by 3. >Fix: c is already available as the accumulator from the encode half of the function; just use it instead of the "next" byte. Index: radix.c =================================================================== RCS file: /cvs/krbdev/krb5/src/appl/gssftp/ftp/radix.c,v retrieving revision 1.2 diff -u -p -r1.2 radix.c --- radix.c 1998/05/06 20:01:28 1.2 +++ radix.c 1998/09/24 21:24:16 @@ -21,18 +21,18 @@ int *len, decode; D = p - radixN; switch (i&3) { case 0: - outbuf[j] = D<<2; + c = D<<2; break; case 1: - outbuf[j++] |= D>>4; - outbuf[j] = (D&15)<<4; + outbuf[j++] = c | D>>4; + c = (D&15)<<4; break; case 2: - outbuf[j++] |= D>>2; - outbuf[j] = (D&3)<<6; + outbuf[j++] = c | D>>2; + c = (D&3)<<6; break; case 3: - outbuf[j++] |= D; + outbuf[j++] = c | D; } } switch (i&3) { >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: hartmans State-Changed-When: Thu Apr 4 17:18:00 2002 State-Changed-Why: patch applied. >Unformatted: