[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#278191: CAN-2005-0079: authentication bypass via integer overflow

Justin Pryzby wrote:
> Bug#278191: CAN-2005-0079: authentication bypass via integer overflow
>                                                      ^^^^^^^^^^^^^^^^
> 
> Its not an integer overflow, btw, though its not really a buffer
> overflow either; its an set-an-arbitrary-byte-of-memory-to-zero bug.

Are you sure?

My investigation showed that

rlen goes from 0..49 and rbuf[rlen] is accessed
then rlen grows until 2147483647 while rbuf[rlen] is not accessed
   due to rlen > sizeof(rbuf)
But then, since 2147483647 is INT_MAX, rlen will become -2147483648
and with the next character the condition rlen < sizeof(rbuf) is
   true again, causing rbuf[rlen] = cbuf[0] to be executed,
   unfortunately rlen is now -2147483648 causing the program to
   crash

rlen goes from valid to invalid positive to invalid negative
  --> integer overflow

Regards,

	Joey

-- 
MIME - broken solution for a broken design.  -- Ralf Baechle

Please always Cc to me when replying to me on the lists.
Reply to: