This is the mail archive of the glibc-bugs@sources.redhat.com mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/924] New: possible segfault in crypt/md5.c

From: "egmont at uhulinux dot hu" <sourceware-bugzilla at sources dot redhat dot com>
To: glibc-bugs at sources dot redhat dot com
Date: 2 May 2005 17:59:14 -0000
Subject: [Bug libc/924] New: possible segfault in crypt/md5.c
Reply-to: sourceware-bugzilla at sources dot redhat dot com

Even though there are wonderful md5 computing routines in glibc, no public
interface is available to them (AFAIK), so whenever I want to compute md5
in a C program, I copy the md5.[ch] files from glibc and use those ones.

Probably this is the intended way to use them, since there are some
"#ifdef _LIBC"s in its source, I guess if md5.[ch] were to be used solely
for glibc, these wouldn't be there.

Recently I found a circumstance where this can lead to a segfault. All you
have to do is to compile and run such a trivial piece of code somewhere
in your application:

  struct md5_ctx md5;
  char buf[4096];
  memset(buf, 0, 4096);
  md5_init_ctx(&md5);
  md5_process_bytes(buf, 1, &md5);
  md5_process_bytes(buf, 4096, &md5);

the second md5_process_bytes() call causes a segmentation fault.

The cause of the problem is the following:

In this case when I manually compile an application using md5.[ch],
most likely none of STDC_HEADERS and _LIBC are defined. Hence at the
beginning of md5.c memcpy is #defined to be an alias to bcopy instead
of using the real memcpy from glibc.

However, a very important thing is that memcpy() and bcopy() differ
in their return value: memcpy returns the first argument, while bcopy
is void.

In md5.c line 258 the following is found:
  md5_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
which clearly assumes that memcpy returns its first argument, so it
easily leads to a segmentation fault if this memcpy is actually a bcopy.

Patch attached, please apply. Thanks!

-- 
           Summary: possible segfault in crypt/md5.c
           Product: glibc
           Version: 2.3.5
            Status: NEW
          Severity: minor
          Priority: P2
         Component: libc
        AssignedTo: gotom at debian dot or dot jp
        ReportedBy: egmont at uhulinux dot hu
                CC: glibc-bugs at sources dot redhat dot com


http://sources.redhat.com/bugzilla/show_bug.cgi?id=924

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

Follow-Ups:
- [Bug libc/924] possible segfault in crypt/md5.c
  - From: egmont at uhulinux dot hu
- [Bug libc/924] possible segfault in crypt/md5.c
  - From: roland at gnu dot org
- [Bug libc/924] possible segfault in crypt/md5.c
  - From: cvs-commit at gcc dot gnu dot org
- [Bug libc/924] possible segfault in crypt/md5.c
  - From: egmont at uhulinux dot hu

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]