[PATCH 0/2] Fix out-of-bounds potential in decode_base64 and add regression tests

[PATCH 0/2] Fix out-of-bounds potential in decode_base64 and add regression tests

[Jonas Rebmann]

I took a closer look at decode_base64 while reviewing coverity report
584740 (Out-of-bounds access). 1/2 resolves the issue (although coverity
seems to suspect an out-of-bounds access for the wrong reason and might
keep doing so), 2/2 adds a selftest I used to debug the issue.

Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
---
Jonas Rebmann (2):
      lib: base64: Fix out-of-bounds potential by respecting dst_len
      test: self: add base64 selftests

 lib/base64.c       | 10 +++++-----
 test/self/Kconfig  |  7 +++++++
 test/self/Makefile |  1 +
 test/self/base64.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 58 insertions(+), 5 deletions(-)
---
base-commit: ec00fef65d808f8bc9c5655262b0e4f8ce2c4e92
change-id: 20251201-base64-bounds-ed379c2c6ff7

Best regards,
--  
Jonas Rebmann <jre@pengutronix.de>

[PATCH 1/2] lib: base64: Fix out-of-bounds potential by respecting dst_len

[Jonas Rebmann]

__decode_base64 generally writes the input in 3 bytes increments,
corresponding to 4 bytes increments in the base64 input buffer. This
means that in order to respect dst_len as the size of the output buffer,
the case of exceeding dst_len within a loop iteration must be
considered.

In such a case, refrain from writing the last one or two bytes if that
write would be past dst_len.

Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
---
 lib/base64.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/base64.c b/lib/base64.c
index d5ab217528..3e29f0a56c 100644
--- a/lib/base64.c
+++ b/lib/base64.c
@@ -163,19 +163,19 @@ static int __decode_base64(char *p_dst, int dst_len, const char *src, bool url)
 		 */
 		if (count > 1)
 			*dst++ = six_bit[0] << 2 | six_bit[1] >> 4;
-		if (count > 2)
+		if (count > 2 && dst_len > 1)
 			*dst++ = six_bit[1] << 4 | six_bit[2] >> 2;
-		if (count > 3)
+		if (count > 3 && dst_len > 2)
 			*dst++ = six_bit[2] << 6 | six_bit[3];
+		/* last character was "=" */
+		if (count != 0)
+			length += min(count - 1, dst_len);
 		/*
 		 * Note that if we decode "AA==" and ate first '=',
 		 * we just decoded one char (count == 2) and now we'll
 		 * do the loop once more to decode second '='.
 		 */
 		dst_len -= count-1;
-		/* last character was "=" */
-		if (count != 0)
-			length += count - 1;
 	}
 ret:
 	p_dst = dst;

-- 
2.51.2.535.g419c72cb8a

[PATCH 2/2] test: self: add base64 selftests

[Jonas Rebmann]

These tests are specifically tailored around respecting the dst_len
parameter.

Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
---
 test/self/Kconfig  |  7 +++++++
 test/self/Makefile |  1 +
 test/self/base64.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 53 insertions(+)

diff --git a/test/self/Kconfig b/test/self/Kconfig
index 936b12072e..adef8609ef 100644
--- a/test/self/Kconfig
+++ b/test/self/Kconfig
@@ -28,6 +28,7 @@ config SELFTEST_AUTORUN
 
 config SELFTEST_ENABLE_ALL
 	bool "Enable all self-tests"
+	select SELFTEST_BASE64
 	select SELFTEST_RANGE
 	select SELFTEST_PRINTF
 	select SELFTEST_MALLOC
@@ -52,6 +53,12 @@ config SELFTEST_ENABLE_ALL
 	help
 	  Selects all self-tests compatible with current configuration
 
+config SELFTEST_BASE64
+	bool "base64 selftest"
+	select BASE64
+	help
+	  Tests base64 implementation
+
 config SELFTEST_RANGE
 	bool "range.h selftest"
 	help
diff --git a/test/self/Makefile b/test/self/Makefile
index 0bd947928a..d244c19052 100644
--- a/test/self/Makefile
+++ b/test/self/Makefile
@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: GPL-2.0
 
 obj-$(CONFIG_SELFTEST) += core.o
+obj-$(CONFIG_SELFTEST_BASE64) += base64.o
 obj-$(CONFIG_SELFTEST_RANGE) += range.o
 obj-$(CONFIG_SELFTEST_MALLOC) += malloc.o
 obj-$(CONFIG_SELFTEST_TALLOC) += talloc.o
diff --git a/test/self/base64.c b/test/self/base64.c
new file mode 100644
index 0000000000..aedd5c6b58
--- /dev/null
+++ b/test/self/base64.c
@@ -0,0 +1,45 @@
+// SPDX-License-Identifier: GPL-2.0-only
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <common.h>
+#include <bselftest.h>
+#include <base64.h>
+#include <string.h>
+
+BSELFTEST_GLOBALS();
+
+static void __expect_streq(const char *func, int line, int dst_len,
+			   const char *src, int expect_len, const char *expect)
+{
+	int ret;
+	char *buf = strdup("canary");
+	bool fail = false;
+
+	total_tests++;
+	ret = decode_base64(buf, dst_len, src);
+	if (!streq_ptr(buf, expect)) {
+		fail = true;
+		printf("%s:%d: got '%s', but '%s' expected\n", func, line, buf,
+		       expect);
+	}
+	if (ret != expect_len) {
+		fail = true;
+		printf("%s:%d: got length %i, but %i expected\n", func, line,
+		       ret, expect_len);
+	}
+	if (fail)
+		failed_tests++;
+	free(buf);
+}
+
+#define expect_base64(dst_len, src, expect_len, expect) \
+	__expect_streq(__func__, __LINE__, dst_len, src, expect_len, expect)
+
+static void test_base64(void)
+{
+	expect_base64(1, "QUJD", 1, "Aanary");
+	expect_base64(5, "QUJD", 3, "ABCary");
+	expect_base64(5, "$UJD", 0, "canary");
+}
+bselftest(parser, test_base64);

-- 
2.51.2.535.g419c72cb8a