Wrong buffer size calcualtion in msn_httpconn_parse_data

Daniel Atallah daniel.atallah at gmail.com
Mon Aug 8 13:25:12 EDT 2011

On Mon, Aug 8, 2011 at 00:51, Mark Doliner <mark at kingant.net> wrote:
> On Wed, Jul 20, 2011 at 8:31 PM, Daniel Atallah
> <daniel.atallah at gmail.com> wrote:
>> It does indeed look like that is a bug, and from an initial look, it
>> appears to make it possible to cause a buffer over-read with a
>> carefully crafted message.
> I agree.
>> I believe that the worst possible impact is that a malicious server
>> could cause a crash (DoS).
> I mostly agree with that.  I think remote code execution is not
> possible because the bug only causes us to read past the end of a
> buffer--it doesn't cause us to write past the end of a buffer.
> (Specifically the bug causes 'size' to be larger than it should be,
> which causes 'body_len' to be larger than it should be, which causes
> us to read too many bytes from body_start/buf).  Is that what you were
> thinking?

Yes, that's exactly it.

> You said "a malicious SERVER could cause a crash."  It seems possible
> to me that a remote client might be able to do something to cause the
> server to send an HTTP 100 Continue response.

Hmm... I suppose it is theoretically possible - I don't know under
which conditions such a thing could happen.

It's worth noting that a Continue would not normally have a Body, so,
it may not be really possible to trigger via the MSN servers.

> This also only affects people using the HTTP connection method, right?

I believe that to be the case too, but I'm not as familiar with the
MSN prpl as some others.


More information about the security mailing list