[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: out of bounds stack read in function idna_to_ascii_4i

From: Simon Josefsson
Subject: Re: out of bounds stack read in function idna_to_ascii_4i
Date: Wed, 20 Jul 2016 18:29:49 +0200
User-agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)

Hanno Böck <address@hidden> writes:

> Hi,
> When passing an input of exactly 64 bytes to the idn tool it will
> generate an out of bounds stack read.
> This happens in the function idna_to_ascii_4i.
> In Line 213 if the input is less than 64 bytes it will zero-terminate
> the string. However if it's exactly 64 bytes the input will fill the
> out buffer and no zero termination will happen. Therefore the strlen
> call in line 271 will cause an out of bounds.
> Attached a sample input and apatch that will return an error on a 64
> byte input. The strlen (out) > 63 check doesn't really make sense,
> because inside a 64 byte buffer there can never be a correct
> zero-terminated string longer than 63 bytes. Therefore I've removed
> that check.
> Found with the help of american fuzzy lop.

Thank you Hanno.  This was fixed in git earlier this year, but real life
intervened and distracted me.  Here is a link to the commit that should
fix this:

I'm preparing a new release, so if you or anyone else has any concerns
over this patch, now is a good time to bring it up.


Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]