[BusyBox 0000612]: Buffer Overflow in the httpd

bugs at busybox.net bugs at busybox.net
Fri Dec 23 14:50:21 UTC 2005 

A NOTE has been added to this issue. 
====================================================================== 
http://busybox.net/bugs/view.php?id=612 
====================================================================== 
Reported By:                alita
Assigned To:                BusyBox
====================================================================== 
Project:                    BusyBox
Issue ID:                   612
Category:                   Security
Reproducibility:            always
Severity:                   crash
Priority:                   normal
Status:                     assigned
====================================================================== 
Date Submitted:             12-23-2005 06:35 PST
Last Modified:              12-23-2005 06:50 PST
====================================================================== 
Summary:                    Buffer Overflow in the httpd
Description: 
I found a buffer overflow in the httpd. In the function encodeString() it
allocates only len*5+1 bytes, but to store entities over 99 it needs
len*6+1 bytes. So if you try to encode a multiple KB long string with many
characters over 99, it ends up with a segfault. This is maybe a security
risk.

In the function decodeString() you can jump over the terminating zero
byte, if you place the '%' character at the right (wrong) place, and
access the memory after it.

For example if you run the following command, it will output your first
environment variable:
httpd -d "%20%8"; echo

This function is used in the handleIncoming(), too. This is maybe a
security risk, so it sould better be fixed soon. I have write a patch that
correct it and attach it to this bug report.

Sorry, for my bad english. I hope you can understand it.
====================================================================== 

---------------------------------------------------------------------- 
 alita - 12-23-05 06:50  
---------------------------------------------------------------------- 
Better use the second patch... 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
12-23-05 06:35  alita          New Issue                                    
12-23-05 06:35  alita          Status                   new => assigned     
12-23-05 06:35  alita          Assigned To               => BusyBox         
12-23-05 06:35  alita          File Added: httpd_bufferoverflow.patch           
        
12-23-05 06:46  alita          Issue Monitored: alita                       
12-23-05 06:47  alita          File Added: httpd_bufferoverflow2.patch          
         
12-23-05 06:50  alita          Note Added: 0000807                          
======================================================================

More information about the busybox-cvs mailing list