[BusyBox 0000612]: Buffer Overflow in the httpd
bugs at busybox.net
bugs at busybox.net
Mon Dec 26 17:28:14 UTC 2005
A NOTE has been added to this issue.
======================================================================
http://busybox.net/bugs/view.php?id=612
======================================================================
Reported By: alita
Assigned To: BusyBox
======================================================================
Project: BusyBox
Issue ID: 612
Category: Security
Reproducibility: always
Severity: crash
Priority: normal
Status: assigned
======================================================================
Date Submitted: 12-23-2005 06:35 PST
Last Modified: 12-26-2005 09:28 PST
======================================================================
Summary: Buffer Overflow in the httpd
Description:
I found a buffer overflow in the httpd. In the function encodeString() it
allocates only len*5+1 bytes, but to store entities over 99 it needs
len*6+1 bytes. So if you try to encode a multiple KB long string with many
characters over 99, it ends up with a segfault. This is maybe a security
risk.
In the function decodeString() you can jump over the terminating zero
byte, if you place the '%' character at the right (wrong) place, and
access the memory after it.
For example if you run the following command, it will output your first
environment variable:
httpd -d "%20%8"; echo
This function is used in the handleIncoming(), too. This is maybe a
security risk, so it sould better be fixed soon. I have write a patch that
correct it and attach it to this bug report.
Sorry, for my bad english. I hope you can understand it.
======================================================================
----------------------------------------------------------------------
alita - 12-23-05 06:50
----------------------------------------------------------------------
Better use the second patch...
----------------------------------------------------------------------
vodz - 12-26-05 09:28
----------------------------------------------------------------------
Thanks. Its old and not my problem. See fresh changes: 12978 SVN revision.
Issue History
Date Modified Username Field Change
======================================================================
12-23-05 06:35 alita New Issue
12-23-05 06:35 alita Status new => assigned
12-23-05 06:35 alita Assigned To => BusyBox
12-23-05 06:35 alita File Added: httpd_bufferoverflow.patch
12-23-05 06:46 alita Issue Monitored: alita
12-23-05 06:47 alita File Added: httpd_bufferoverflow2.patch
12-23-05 06:50 alita Note Added: 0000807
12-26-05 09:28 vodz Note Added: 0000815
======================================================================
More information about the busybox-cvs
mailing list