Bug#278191: CAN-2005-0079: authentication bypass via integer overflow
Justin Pryzby wrote:
> Bug#278191: CAN-2005-0079: authentication bypass via integer overflow
> Its not an integer overflow, btw, though its not really a buffer
> overflow either; its an set-an-arbitrary-byte-of-memory-to-zero bug.
Are you sure?
My investigation showed that
rlen goes from 0..49 and rbuf[rlen] is accessed
then rlen grows until 2147483647 while rbuf[rlen] is not accessed
due to rlen > sizeof(rbuf)
But then, since 2147483647 is INT_MAX, rlen will become -2147483648
and with the next character the condition rlen < sizeof(rbuf) is
true again, causing rbuf[rlen] = cbuf to be executed,
unfortunately rlen is now -2147483648 causing the program to
rlen goes from valid to invalid positive to invalid negative
--> integer overflow
MIME - broken solution for a broken design. -- Ralf Baechle
Please always Cc to me when replying to me on the lists.