New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
array buffer overflow vulnerability #56
Comments
Please referer to Safe3@e51c28c |
Hi Safe3.. I oddly was unable to trigger this with a test case, but I fixed this in a different way. thanks very much. nickg |
This function Segment fault may not happen every time when access array out of boundary, because that memory still readable. Try this case.
|
thanks flily ... I'll work on another test case for this. |
ok, but you misspell my name. |
My Apologizes. fixed! I'm concerned my automated tests aren't catching this as it's very obvious the over-read is happening. I will investigate and report back. |
gcc --version with -fstackprotector with buffer over-read == valgrind does not detect it, and returns error free. Removing -fstackprotector, allows valgrind to detect the over-read correctly. Conclusion: -fstackprotector did not protect the stack and caused silent failure. |
There is a array buffer overflow vulnerability in function parse_word of libinjection_sqli.c,if one keyword is more than 32,the sf->current->val[i] will be overflowed.Below is one new patch function.
static size_t parse_word(struct libinjection_sqli_state * sf)
{
char ch;
char delim;
size_t i;
const char cs = sf->s;
size_t pos = sf->pos;
size_t wlen = strlencspn(cs + pos, sf->slen - pos,
" {}<>:?=@!#~+-/&|^%(),';\t\n\v\f\r"\000");
size_t kwlen = wlen < LIBINJECTION_SQLI_TOKEN_SIZE ? wlen : (LIBINJECTION_SQLI_TOKEN_SIZE - 1);
st_assign(sf->current, TYPE_BAREWORD, pos, wlen, cs + pos);
}
The text was updated successfully, but these errors were encountered: