Wrong buffer size calcualtion in msn_httpconn_parse_data

Mark Doliner mark at kingant.net
Mon Aug 8 00:51:12 EDT 2011


On Wed, Jul 20, 2011 at 8:31 PM, Daniel Atallah
<daniel.atallah at gmail.com> wrote:
> It does indeed look like that is a bug, and from an initial look, it
> appears to make it possible to cause a buffer over-read with a
> carefully crafted message.

I agree.

> I believe that the worst possible impact is that a malicious server
> could cause a crash (DoS).

I mostly agree with that.  I think remote code execution is not
possible because the bug only causes us to read past the end of a
buffer--it doesn't cause us to write past the end of a buffer.
(Specifically the bug causes 'size' to be larger than it should be,
which causes 'body_len' to be larger than it should be, which causes
us to read too many bytes from body_start/buf).  Is that what you were
thinking?

You said "a malicious SERVER could cause a crash."  It seems possible
to me that a remote client might be able to do something to cause the
server to send an HTTP 100 Continue response.

This also only affects people using the HTTP connection method, right?

--Mark


More information about the security mailing list