Bug 5043 - iconv_open() should not crash on too long codepage arguments
Summary: iconv_open() should not crash on too long codepage arguments
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Ulrich Drepper
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-09-18 15:05 UTC by Petr Baudis
Modified: 2014-06-13 11:17 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security+

Attachments
Proposed patch (645 bytes, patch)
2007-09-18 15:07 UTC, Petr Baudis 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Baudis 2007-09-18 15:05:22 UTC 
iconv_open() currently crashes on too long codepage arguments, leading to
potential DoS security problems for various applications. See for example
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4783.
Comment 1 Petr Baudis 2007-09-18 15:07:13 UTC 
Created attachment 2011 [details]
Proposed patch

Proposed patch.

It might be good idea to make the max length of codepage name public for the
applications; I've chosen the name BSD uses for that #define.
Comment 2 Jakub Jelinek 2007-09-21 19:15:49 UTC 
You mean if you use more than RLIMIT_STACK long argument?
If yes, glibc for this has __libc_use_alloca () check, so that it can use
malloc for very large requests.
Comment 3 Petr Baudis 2007-09-21 19:23:11 UTC 
But does it make sense to use that instead of simple size check? It avoids an
arbitrary limit, but all of these strings ought to be short (maybe the limit
should be 128 instead of 64, just to be safe) and the code in iconvopen() would
get much uglier with basically useless malloc() casing.
Comment 4 Ulrich Drepper 2007-09-23 16:01:22 UTC 
I changed the code in cvs.