From eichin@arepa.com Thu Sep 24 17:45:26 1998
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id RAA13161 for <bugs@RT-11.MIT.EDU>; Thu, 24 Sep 1998 17:45:22 -0400
Received: from arepa.arepa.com by MIT.EDU with SMTP
id AA01290; Thu, 24 Sep 98 17:45:16 EDT
Received: from noraneko.arepa.com (maneki-neko.arepa.com [209.21.177.131])
by arepa.com (8.8.5/8.8.5) with ESMTP id RAA21883;
Thu, 24 Sep 1998 17:45:18 -0400
Received: by arepa.com
via sendmail from stdin
id <m0zMJCO-001B0vC@noraneko.arepa.com> (Debian Smail3.2.0.101)
for krb5-bugs@mit.edu; Thu, 24 Sep 1998 17:45:16 -0400 (EDT)
Message-Id: <xe1ww6t89sj.fsf@maneki-neko.arepa.com>
Date: 24 Sep 1998 17:45:16 -0400
From: eichin@thok.org
To: krb5-bugs@MIT.EDU
Subject: radix_encode overruns buffer
X-Send-Pr-Version: 3.99
is decoding if the length of the original is not == 0 mod 3.
and allocate outbuf to be the size you encoded on inbuf, for encoded
strings whose length is not divisible by 3.
c is already available as the accumulator from the encode half of the
function; just use it instead of the "next" byte.
Index: radix.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/appl/gssftp/ftp/radix.c,v
retrieving revision 1.2
diff -u -p -r1.2 radix.c
--- radix.c 1998/05/06 20:01:28 1.2
+++ radix.c 1998/09/24 21:24:16
@@ -21,18 +21,18 @@ int *len, decode;
D = p - radixN;
switch (i&3) {
case 0:
- outbuf[j] = D<<2;
+ c = D<<2;
break;
case 1:
- outbuf[j++] |= D>>4;
- outbuf[j] = (D&15)<<4;
+ outbuf[j++] = c | D>>4;
+ c = (D&15)<<4;
break;
case 2:
- outbuf[j++] |= D>>2;
- outbuf[j] = (D&3)<<6;
+ outbuf[j++] = c | D>>2;
+ c = (D&3)<<6;
break;
case 3:
- outbuf[j++] |= D;
+ outbuf[j++] = c | D;
}
}
switch (i&3) {
State-Changed-From-To: open-closed
State-Changed-By: hartmans
State-Changed-When: Thu Apr 4 17:18:00 2002
State-Changed-Why:
patch applied.
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id RAA13161 for <bugs@RT-11.MIT.EDU>; Thu, 24 Sep 1998 17:45:22 -0400
Received: from arepa.arepa.com by MIT.EDU with SMTP
id AA01290; Thu, 24 Sep 98 17:45:16 EDT
Received: from noraneko.arepa.com (maneki-neko.arepa.com [209.21.177.131])
by arepa.com (8.8.5/8.8.5) with ESMTP id RAA21883;
Thu, 24 Sep 1998 17:45:18 -0400
Received: by arepa.com
via sendmail from stdin
id <m0zMJCO-001B0vC@noraneko.arepa.com> (Debian Smail3.2.0.101)
for krb5-bugs@mit.edu; Thu, 24 Sep 1998 17:45:16 -0400 (EDT)
Message-Id: <xe1ww6t89sj.fsf@maneki-neko.arepa.com>
Date: 24 Sep 1998 17:45:16 -0400
From: eichin@thok.org
To: krb5-bugs@MIT.EDU
Subject: radix_encode overruns buffer
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 635
>Category: pending
>Synopsis: radix_encode overruns buffer
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: gnats-admin
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Sep 24 17:46:01 EDT 1998
>Last-Modified: Thu Apr 4 17:18:06 EST 2002
>Originator: Mark Eichin <eichin@thok.org>
>Organization:
The Herd Of Kittens>Category: pending
>Synopsis: radix_encode overruns buffer
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: gnats-admin
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Sep 24 17:46:01 EDT 1998
>Last-Modified: Thu Apr 4 17:18:06 EST 2002
>Originator: Mark Eichin <eichin@thok.org>
>Organization:
Show quoted text
>Release: current-19980924
>Environment:
source by inspection>Environment:
Show quoted text
>Description:
radix_encode will write a 0 byte past the end of the content itis decoding if the length of the original is not == 0 mod 3.
Show quoted text
>How-To-Repeat:
use radix_encode with electric-fence or other vicious malloc,and allocate outbuf to be the size you encoded on inbuf, for encoded
strings whose length is not divisible by 3.
Show quoted text
>Fix:
c is already available as the accumulator from the encode half of the
function; just use it instead of the "next" byte.
Index: radix.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/appl/gssftp/ftp/radix.c,v
retrieving revision 1.2
diff -u -p -r1.2 radix.c
--- radix.c 1998/05/06 20:01:28 1.2
+++ radix.c 1998/09/24 21:24:16
@@ -21,18 +21,18 @@ int *len, decode;
D = p - radixN;
switch (i&3) {
case 0:
- outbuf[j] = D<<2;
+ c = D<<2;
break;
case 1:
- outbuf[j++] |= D>>4;
- outbuf[j] = (D&15)<<4;
+ outbuf[j++] = c | D>>4;
+ c = (D&15)<<4;
break;
case 2:
- outbuf[j++] |= D>>2;
- outbuf[j] = (D&3)<<6;
+ outbuf[j++] = c | D>>2;
+ c = (D&3)<<6;
break;
case 3:
- outbuf[j++] |= D;
+ outbuf[j++] = c | D;
}
}
switch (i&3) {
Show quoted text
>Audit-Trail:
State-Changed-From-To: open-closed
State-Changed-By: hartmans
State-Changed-When: Thu Apr 4 17:18:00 2002
State-Changed-Why:
patch applied.
Show quoted text
>Unformatted: