Wrong buffer size calcualtion in msn_httpconn_parse_data
Daniel Atallah
daniel.atallah at gmail.com
Mon Aug 8 13:25:12 EDT 2011
On Mon, Aug 8, 2011 at 00:51, Mark Doliner <mark at kingant.net> wrote:
> On Wed, Jul 20, 2011 at 8:31 PM, Daniel Atallah
> <daniel.atallah at gmail.com> wrote:
>> It does indeed look like that is a bug, and from an initial look, it
>> appears to make it possible to cause a buffer over-read with a
>> carefully crafted message.
>
> I agree.
>
>> I believe that the worst possible impact is that a malicious server
>> could cause a crash (DoS).
>
> I mostly agree with that. I think remote code execution is not
> possible because the bug only causes us to read past the end of a
> buffer--it doesn't cause us to write past the end of a buffer.
> (Specifically the bug causes 'size' to be larger than it should be,
> which causes 'body_len' to be larger than it should be, which causes
> us to read too many bytes from body_start/buf). Is that what you were
> thinking?
Yes, that's exactly it.
> You said "a malicious SERVER could cause a crash." It seems possible
> to me that a remote client might be able to do something to cause the
> server to send an HTTP 100 Continue response.
Hmm... I suppose it is theoretically possible - I don't know under
which conditions such a thing could happen.
It's worth noting that a Continue would not normally have a Body, so,
it may not be really possible to trigger via the MSN servers.
>
> This also only affects people using the HTTP connection method, right?
I believe that to be the case too, but I'm not as familiar with the
MSN prpl as some others.
-D
More information about the security
mailing list