Wrong buffer size calcualtion in msn_httpconn_parse_data

Mark Doliner mark at kingant.net
Mon Aug 8 00:51:12 EDT 2011

On Wed, Jul 20, 2011 at 8:31 PM, Daniel Atallah
<daniel.atallah at gmail.com> wrote:
> It does indeed look like that is a bug, and from an initial look, it
> appears to make it possible to cause a buffer over-read with a
> carefully crafted message.

I agree.

> I believe that the worst possible impact is that a malicious server
> could cause a crash (DoS).

I mostly agree with that.  I think remote code execution is not
possible because the bug only causes us to read past the end of a
buffer--it doesn't cause us to write past the end of a buffer.
(Specifically the bug causes 'size' to be larger than it should be,
which causes 'body_len' to be larger than it should be, which causes
us to read too many bytes from body_start/buf).  Is that what you were

You said "a malicious SERVER could cause a crash."  It seems possible
to me that a remote client might be able to do something to cause the
server to send an HTTP 100 Continue response.

This also only affects people using the HTTP connection method, right?


More information about the security mailing list