Bug 500621

Summary: possible buffer overflow
Product: [Fedora] Fedora Reporter: Jan F. Chadima <jchadima>
Component: nufwAssignee: Jerome Soyer <saispo>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: saispo, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-25 17:42:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan F. Chadima 2009-05-13 13:36:07 UTC 
Description of problem:

in src/clients/lib/internal.c is potential buffer overflow in call to sasl_encode64, where is defined output buffer length longer than output buffer.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

patch awailable:
diff -up nufw-2.2.21/src/clients/lib/internal.c.sasl nufw-2.2.21/src/clients/lib/internal.c                               
--- nufw-2.2.21/src/clients/lib/internal.c.sasl 2009-05-11 09:16:15.896292354 +0200                                       
+++ nufw-2.2.21/src/clients/lib/internal.c      2009-05-11 09:16:36.781306803 +0200                                       
@@ -103,7 +103,7 @@ static int samp_send(gnutls_session sess                                                              
                return 0;                                                                                                 
        }                                                                                                                 
                                                                                                                          
-       result = sasl_encode64(buffer, length, buf + 3, alloclen, &len);                                                  
+       result = sasl_encode64(buffer, length, buf + 3, alloclen - 3, &len);                                              
        if (result != SASL_OK) {                                                                                          
                SET_ERROR(err, SASL_ERROR, result);                                                                       
                free(buf);
Comment 1 Tomas Mraz 2009-05-13 14:33:14 UTC 
The overflow is of course only potential because the current sasl_encode64 implementation will never requre more that alloclen-3 bytes for the encoding. But nevertheless the code should be fixed as in the patch above.
Comment 2 Bug Zapper 2009-06-09 15:44:53 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 3 Tomas Mraz 2009-11-25 17:42:57 UTC 
As the buffer overflow is not real I've just reported the problem with the patch upstream.