https://bz.apache.org/bugzilla/show_bug.cgi?id=66037
Bug ID: 66037
Summary: Latent write beyond bounds in h2_util_header_print()
[zhbug_httpd_104]
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_http2
Assignee: bugs@httpd.apache.org
Reporter: generalbugs@zippenhop.com
Target Milestone: ---
There is a write-beyond-bounds bug in h2_util_header_print()
(modules/http2/h2_util.c) in httpd 2.4.53+. [1]
The bug appears to be latent in httpd 2.4.53 because nothing seems to call
h2_util_header_print().
The bug is caused by using the condition |offset < maxlen; ... ++offset| in
various |for| loops when indexing a buffer, then following the loops with
|buffer[offset] ='\0';| . Thus sufficiently-long data causes |offset| to become
== |maxlen| after a |for| loop, causing the |'\0'| to be written beyond bounds
and the out-of-bounds value of |offset| to be returned to the caller:
79: size_t h2_util_header_print(char *buffer, size_t maxlen,
80: const char *name, size_t namelen,
81: const char *value, size_t valuelen)
82: {
83: size_t offset = 0;
84: size_t i;
85: for (i = 0; i < namelen && offset < maxlen; ++i, ++offset) {
86: buffer[offset] = name[i];
87: }
88: for (i = 0; i < 2 && offset < maxlen; ++i, ++offset) {
89: buffer[offset] = ": "[i];
90: }
91: for (i = 0; i < valuelen && offset < maxlen; ++i, ++offset) {
92: buffer[offset] = value[i];
93: }
94: buffer[offset] = '\0';
95: return offset;
96: }
You can demonstrate the bug by copying the function into a scratch file, then
calling in thusly:
char buf[20];
const char name[]="0123456789";
const char val[]="0123456789";
size_t s = h2_util_header_print(buf, sizeof(buf), name, strlen(name), val,
strlen(val));
and stepping h2_util_header_print() in a debugger, watching |buf| for the
overwrite.
Note also that the function can create a malformed |buffer| if, e.g., |namelen
>= maxlen| (|buffer| will contain only |name| followed by '\0').
[1] The security team has asked me to file "hardening" (latent) bugs publicly.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
Bug ID: 66037
Summary: Latent write beyond bounds in h2_util_header_print()
[zhbug_httpd_104]
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_http2
Assignee: bugs@httpd.apache.org
Reporter: generalbugs@zippenhop.com
Target Milestone: ---
There is a write-beyond-bounds bug in h2_util_header_print()
(modules/http2/h2_util.c) in httpd 2.4.53+. [1]
The bug appears to be latent in httpd 2.4.53 because nothing seems to call
h2_util_header_print().
The bug is caused by using the condition |offset < maxlen; ... ++offset| in
various |for| loops when indexing a buffer, then following the loops with
|buffer[offset] ='\0';| . Thus sufficiently-long data causes |offset| to become
== |maxlen| after a |for| loop, causing the |'\0'| to be written beyond bounds
and the out-of-bounds value of |offset| to be returned to the caller:
79: size_t h2_util_header_print(char *buffer, size_t maxlen,
80: const char *name, size_t namelen,
81: const char *value, size_t valuelen)
82: {
83: size_t offset = 0;
84: size_t i;
85: for (i = 0; i < namelen && offset < maxlen; ++i, ++offset) {
86: buffer[offset] = name[i];
87: }
88: for (i = 0; i < 2 && offset < maxlen; ++i, ++offset) {
89: buffer[offset] = ": "[i];
90: }
91: for (i = 0; i < valuelen && offset < maxlen; ++i, ++offset) {
92: buffer[offset] = value[i];
93: }
94: buffer[offset] = '\0';
95: return offset;
96: }
You can demonstrate the bug by copying the function into a scratch file, then
calling in thusly:
char buf[20];
const char name[]="0123456789";
const char val[]="0123456789";
size_t s = h2_util_header_print(buf, sizeof(buf), name, strlen(name), val,
strlen(val));
and stepping h2_util_header_print() in a debugger, watching |buf| for the
overwrite.
Note also that the function can create a malformed |buffer| if, e.g., |namelen
>= maxlen| (|buffer| will contain only |name| followed by '\0').
[1] The security team has asked me to file "hardening" (latent) bugs publicly.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org