NetBSD Problem Report #39389
From www@NetBSD.org Thu Aug 21 12:05:14 2008
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by narn.NetBSD.org (Postfix) with ESMTP id C2A2063B877
for <gnats-bugs@gnats.netbsd.org>; Thu, 21 Aug 2008 12:05:13 +0000 (UTC)
Message-Id: <20080821120513.91A0A63B853@narn.NetBSD.org>
Date: Thu, 21 Aug 2008 12:05:13 +0000 (UTC)
From: usa@garbagecollect.jp
Reply-To: usa@garbagecollect.jp
To: gnats-bugs@NetBSD.org
Subject: crypt(3) has a little buffer overrun
X-Send-Pr-Version: www-1.0
>Number: 39389
>Category: lib
>Synopsis: crypt(3) has a little buffer overrun
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: lib-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Aug 21 12:10:01 +0000 2008
>Closed-Date: Sun Sep 01 23:58:33 +0000 2019
>Last-Modified: Sun Sep 01 23:58:33 +0000 2019
>Originator: NAKAMURA Usaku
>Release: NetBSD 4.99.46/i386
>Organization:
>Environment:
NetBSD zanzibar.garbagecollect.jp 4.99.46 NetBSD 4.99.46 (ZANZIBAR3) #0: Sun Dec 30 20:58:11 JST 2007 root@zanzibar.garbagecollect.jp:/usr/src/sys/arch/i386/compile/ZANZIBAR3 i386
>Description:
When passing the second argument with characters which are out of the range of '\0'-'\x7F' to crypt(3), it will access the inner table named a64toi[] beyond its boundary.
But, in such case, it doesn't causes serious problems because there are another large tables after a64toi[].
So this is non-critical, but only small worry to me.
>How-To-Repeat:
#include <unistd.h>
main()
{
crypt("", "\xff\xff");
}
>Fix:
Index: crypt.c
===================================================================
RCS file: /cvs/cvsroot/src/lib/libcrypt/crypt.c,v
retrieving revision 1.26
diff -u -1 -p -r1.26 crypt.c
--- crypt.c 17 Jan 2007 23:24:22 -0000 1.26
+++ crypt.c 21 Aug 2008 12:02:43 -0000
@@ -540,3 +540,4 @@ crypt(key, setting)
encp[i] = t;
- num_iter = (num_iter<<6) | a64toi[t];
+ num_iter = (num_iter<<6) |
+ a64toi[(unsigned)t < sizeof(a64toi) ? t : 0];
}
@@ -556,3 +557,3 @@ crypt(key, setting)
encp[i] = t;
- salt = (salt<<6) | a64toi[t];
+ salt = (salt<<6) | a64toi[(unsigned)t < sizeof(a64toi) ? t : 0];
}
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Sun, 01 Sep 2019 23:58:33 +0000
State-Changed-Why:
Fixed in crypt.c:1.29: avoid accessing array over its bound, from Solar Designer
thanks for the report.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home