Bug 500621 - possible buffer overflow
Summary: possible buffer overflow
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: nufw
Version: 11
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Jerome Soyer
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-05-13 13:36 UTC by Jan F. Chadima
Modified: 2009-11-25 17:42 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-11-25 17:42:57 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Jan F. Chadima 2009-05-13 13:36:07 UTC 
Description of problem:

in src/clients/lib/internal.c is potential buffer overflow in call to sasl_encode64, where is defined output buffer length longer than output buffer.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

patch awailable:
diff -up nufw-2.2.21/src/clients/lib/internal.c.sasl nufw-2.2.21/src/clients/lib/internal.c                               
--- nufw-2.2.21/src/clients/lib/internal.c.sasl 2009-05-11 09:16:15.896292354 +0200                                       
+++ nufw-2.2.21/src/clients/lib/internal.c      2009-05-11 09:16:36.781306803 +0200                                       
@@ -103,7 +103,7 @@ static int samp_send(gnutls_session sess                                                              
                return 0;                                                                                                 
        }                                                                                                                 
                                                                                                                          
-       result = sasl_encode64(buffer, length, buf + 3, alloclen, &len);                                                  
+       result = sasl_encode64(buffer, length, buf + 3, alloclen - 3, &len);                                              
        if (result != SASL_OK) {                                                                                          
                SET_ERROR(err, SASL_ERROR, result);                                                                       
                free(buf);
Comment 1 Tomas Mraz 2009-05-13 14:33:14 UTC 
The overflow is of course only potential because the current sasl_encode64 implementation will never requre more that alloclen-3 bytes for the encoding. But nevertheless the code should be fixed as in the patch above.
Comment 2 Bug Zapper 2009-06-09 15:44:53 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 3 Tomas Mraz 2009-11-25 17:42:57 UTC 
As the buffer overflow is not real I've just reported the problem with the patch upstream.
Note You need to log in before you can comment on or make changes to this bug.