|
Bugtraq
mailing list archives
wwwoffle-2.7b and prior segfaults with negative Content-Length value
From: qitest1 <qitest1 () bespin org>
Date: Thu, 18 Jul 2002 10:32:09 +0200 (CEST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
QITEST1 SECURITY ADVISORY #005
wwwoffle-2.7b and prior segfaults with negative Content-Length value
PROGRAM DESCRIPTION
WWWOFFLE, World Wide Web Offline Explorer, is a proxy HTTP/FTP
server for computers with dial-up internet access.
DETAILS
When processing http requests, wwwoffled misinterprets the
"Content-Length" header field: it fails to handle negative
values properly. Consequently, if receiving a negative integer,
program segfaults in memcpy(), because its size argument (size_t n)
should be an unsigned integer.
Remote overflow exploitation may be possible. Only child process
dies on segfault, so this does not constitutes a denial of service
vulnerability effectively.
SOLUTION
wwwoffle_2.7c fixes this flaw. Alternatively, you can use the
following patch:
==8< wwwoffle-2.7b.patch
- --- wwwoffle-2.7b-old/src/parse.c Sat Mar 23 15:28:36 2002
+++ wwwoffle-2.7b/src/parse.c Fri Jul 12 16:52:46 2002
@@ -180,7 +180,7 @@
if(!strcmp("POST",(*request_head)->method) ||
!strcmp("PUT",(*request_head)->method))
{
- - if(length==-1)
+ if(length < 0)
{free(url);return(NULL);}
*request_body=CreateBody(length);
==8<
-- -------------------------------------------
---- q1-- ----------------------------------------
-- -------------------------------------------
Web: http://bespin.org/~qitest1
GPG public key: http://bespin.org/~qitest1/qitest1.gpg.key
- --------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9Nmt+IrsshIyVmPkRAiWmAJ4rpSSEazUu5eR/JDNZx5aN+2o1iACggnOZ
tyltTOlBgy9tB3ZbQob0R7Q=
=ZNsX
-----END PGP SIGNATURE-----
 By Date 
By Thread
Current thread:
- wwwoffle-2.7b and prior segfaults with negative Content-Length value qitest1 (Jul 18)
|
Intro
