Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87r2y2vrsg.fsf@gmail.com>
Date: Thu, 29 Jun 2017 15:37:19 +0200
From: Leah Neukirchen <leah@...u.org>
To: musl@...ts.openwall.com
Subject: Out-of-bounds read in twobyte_memmem

Hello,

As mentioned in #musl, twobyte_memmem in memmem.c does an out of
bounds read to the byte after the final byte of the buffer, when it
updates hw using *++h before checking k.  Similar code in strstr is
unproblematic since there it will only read the NUL terminator.

Proposed solution is to rewrite the for-loop to make control flow
order explicit, but there may be a more idiomatic solution than this:

static char *twobyte_memmem(const unsigned char *h, size_t k, const unsigned char *n)
{
        uint16_t nw = n[0]<<8 | n[1], hw = h[0]<<8 | h[1];
        h++;
        k--;
        for (;;) {
                if (hw == nw) return (char *)h-1;
                if (!--k) return 0;
                hw = hw<<8 | *++h;
        }
        return 0;
}

This bug was detected by @mourais during development of mblaze on
OpenBSD, using MALLOC_OPTIONS=G.

Thanks,
-- 
Leah Neukirchen  <leah@...u.org>  http://leah.zone

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.