Module Name: src
Committed By: christos
Date: Mon Nov 24 15:41:18 UTC 2014
Modified Files:
src/lib/libc/net: base64.c
Log Message:
Don't read past the end when the data is exactly the right size. Reported
by tedu @ openbsd in tech-userlevel. Thanks!
To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 src/lib/libc/net/base64.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libc/net/base64.c
diff -u src/lib/libc/net/base64.c:1.14 src/lib/libc/net/base64.c:1.15
--- src/lib/libc/net/base64.c:1.14 Mon Jun 25 18:32:44 2012
+++ src/lib/libc/net/base64.c Mon Nov 24 10:41:18 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: base64.c,v 1.14 2012/06/25 22:32:44 abs Exp $ */
+/* $NetBSD: base64.c,v 1.15 2014/11/24 15:41:18 christos Exp $ */
/*
* Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
@@ -47,7 +47,7 @@
#if 0
static const char rcsid[] = "Id: base64.c,v 1.4 2005/04/27 04:56:34 sra Exp";
#else
-__RCSID("$NetBSD: base64.c,v 1.14 2012/06/25 22:32:44 abs Exp $");
+__RCSID("$NetBSD: base64.c,v 1.15 2014/11/24 15:41:18 christos Exp $");
#endif
#endif /* LIBC_SCCS and not lint */
@@ -218,6 +218,7 @@ b64_pton(char const *src, u_char *target
{
size_t tarindex;
int state, ch;
+ u_char nextbyte;
char *pos;
_DIAGASSERT(src != NULL);
@@ -242,33 +243,36 @@ b64_pton(char const *src, u_char *target
if (target) {
if ((size_t)tarindex >= targsize)
return (-1);
- target[tarindex] =
- (unsigned char)(pos - Base64) << 2;
+ target[tarindex] = (u_char)(pos - Base64) << 2;
}
state = 1;
break;
case 1:
if (target) {
- if ((size_t)tarindex + 1 >= targsize)
+ if ((size_t)tarindex >= targsize)
return (-1);
target[tarindex] |=
(u_int32_t)(pos - Base64) >> 4;
- target[tarindex+1] =
- (unsigned char)
- (((pos - Base64) & 0x0f) << 4);
+ nextbyte = (u_char)((pos - Base64) & 0x0f) << 4;
+ if (tarindex + 1 < targsize)
+ target[tarindex + 1] = nextbyte;
+ else if (nextbyte)
+ return (-1);
}
tarindex++;
state = 2;
break;
case 2:
if (target) {
- if ((size_t)tarindex + 1 >= targsize)
+ if ((size_t)tarindex >= targsize)
return (-1);
target[tarindex] |=
(u_int32_t)(pos - Base64) >> 2;
- target[tarindex+1] =
- (unsigned char)
- (((pos - Base64) & 0x03) << 6);
+ nextbyte = (u_char)((pos - Base64) & 0x03) << 6;
+ if (tarindex + 1 < targsize)
+ target[tarindex + 1] = nextbyte;
+ else if (nextbyte)
+ return (-1);
}
tarindex++;
state = 3;
@@ -327,7 +331,8 @@ b64_pton(char const *src, u_char *target
* zeros. If we don't check them, they become a
* subliminal channel.
*/
- if (target && target[tarindex] != 0)
+ if (target && tarindex < targsize &&
+ target[tarindex] != 0)
return (-1);
}
} else {
