array buffer overflow vulnerability

[Safe3]

There is a array buffer overflow vulnerability in function parse_word of libinjection_sqli.c,if one keyword is more than 32,the sf->current->val[i] will be overflowed.Below is one new patch function.

static size_t parse_word(struct libinjection_sqli_state * sf)
{
char ch;
char delim;
size_t i;
const char cs = sf->s;
size_t pos = sf->pos;
size_t wlen = strlencspn(cs + pos, sf->slen - pos,
" {}<>:?=@!#~+-/&|^%(),';\t\n\v\f\r"\000");
size_t kwlen = wlen < LIBINJECTION_SQLI_TOKEN_SIZE ? wlen : (LIBINJECTION_SQLI_TOKEN_SIZE - 1);
st_assign(sf->current, TYPE_BAREWORD, pos, wlen, cs + pos);

/* now we need to look inside what we good for "." and "`"
 * and see if what is before is a keyword or not
 */
for (i =0; i < kwlen; ++i) {
    delim = sf->current->val[i];
    if (delim == '.' || delim == '`') {
        ch = sf->lookup(sf, LOOKUP_WORD, sf->current->val, i);
        if (ch != TYPE_NONE && ch != TYPE_BAREWORD) {
            /* needed for swig */
            st_clear(sf->current);
            /*
             * we got something like "SELECT.1"
             * or SELECT`column`
             */
            st_assign(sf->current, ch, pos, i, cs + pos);
            return pos + i;
        }
    }
}

/*
 * do normal lookup with word including '.'
 */
if (wlen < LIBINJECTION_SQLI_TOKEN_SIZE) {

    ch = sf->lookup(sf, LOOKUP_WORD, sf->current->val, wlen);
    if (ch == CHAR_NULL) {
        ch = TYPE_BAREWORD;
    }
    sf->current->type = ch;
}
return pos + wlen;

}

[Safe3]

Please referer to Safe3@e51c28c

[client9]

Hi Safe3.. I oddly was unable to trigger this with a test case, but I fixed this in a different way.

thanks very much.

nickg

[flily]

This function parse_word parse a very long word may cause segment fault, since stoken_t.len stands for the length of token in original string.

Segment fault may not happen every time when access array out of boundary, because that memory still readable. Try this case.

FFD8FFE000104A46494600010100000100010000FFDB0084000503040404030504040405050506070C08070707070F0B0B090C110F1212110F111113161C1713141A1511111821181A1D1D1F1F1F13172224221E241C1E1F1E010505050706070E08080E1E1411141E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1EFFC00011080078007803011100021101031101FFC401A20000010501010101010100000000000000000102030405060708090A0B100002010303020403050504040000017D01020300041105122131410613516107227114328191A1082342B1C11552D1F02433627282090A161718191A25262728292A3435363738393A434445464748494A535455565758595A636465666768696A737475767778797A838485868788898A92939495969798999AA2A3A4A5A6A7A8A9AAB2B3B4B5B6B7B8B9BAC2C3C4C5C6C7C8C9CAD2D3D4D5D6D7D8D9DAE1E2E3E4E5E6E7E8E9EAF1F2F3F4F5F6F7F8F9FA0100030101010101010101010000000000000102030405060708090A0B1100020102040403040705040400010277000102031104052131061241510761711322328108144291A1B1C109233352F0156272D10A162434E125F11718191A262728292A35363738393A434445464748494A535455565758595A636465666768696A737475767778797A82838485868788898A92939495969798999AA2A3A4A5A6A7A8A9AAB2B3B4B5B6B7B8B9BAC2C3C4C5C6C7C8C9CAD2D3D4D5D6D7D8D9DAE2E3E4E5E6E7E8E9EAF2F3F4F5F6F7F8F9FAFFDA000C03010002110311003F00F68ADC80A002800A002800A002800A00281050014005001400500140C0D020A06140050028340833EF4007E3400BF5A4210303DE8016800A002800A0028010D31850018A02E18A004340104D731C7C6413F5E295C5733AE7588D011BC0FA52B85CCE9F5E41FF002D39A571108D7D3FBF4AE04B0EBA8D9CB8E31DE9DC0D1B7D591F82C01EBCD1703462BB461F7B3F853B816124561C1A0075318500262818530133400B9A00A5A85E2C28DF301B7BD4B623CD7C75E3EB0D1176CAED24F20F9208FEF30F5F61EFF5EB50DD8718B91E4DAAF8F3C45AACACB04A965113C2C239C7BB1E7F2C5473366CA118EE624AFA95D0DD717B73367AEF959BF9FF009E29587CC9151ADA48F90704770718F7CD162B990C5D535CB0757B3D5AF502F45F3C953EDB49C5325A4CDED07E2B6BBA74AB16A91477D06402CA3CB7F73C7CA78F61F5A6A444A0BA1EB5E0BF883A56BD0EFB0BB0F2281E640FF2C8838EA3F4C8C8F7AA4CCDC5A3B3D03C4769A95B09ED270E81991B1CE1958AB29F420820D34C4D58E92D6E438E4D508B40861914C61CD03208662FD718F6CD2B8AE4E391DE98115CBF971E719A1B0B9E6BF13FC531683A2DC5EBE1DC7C90A13F7DFB0FEA7D81A86C22AECF9C4CF75A9DE497B79319AE67259DCFF2F61DAB2DCEA4B951B7636E080A071E9D6A8CF735E3B25F2F27EF63BD022ADDDB85F976F038E9D280312F615C9C0C8140CE7EFA1FBC08E47E1480C84B8BAD37508EF6CE77B79D0EE5743820FF009FCE981DCFC33F896BA0693776D736D7BA9EA575A94D32DBDB8C9C32A963D3A16DC7007AD3BD8971B9F427C2DF1AD878BF451A958ACB1EC94C334528C3C6E3920FE041FC6A93336AC7A240CC4727F3AA1131AA28A96687603C8F4A924B8071D4D31997ADCE1223CF6C63AE693067CC3F1E3596BCF155BE948C0C56C85DF9EAED9FE400FCEB291A416872BA69195E4669234773A4B06C01B7AE29926A09879603305C0CF3408A17B2ABA9C74F7C500616A129038F98762681983A8152C496C76E33C7E540183A86DDEBB714017FE12EA634EF88B67BC284BA636AF9EC588C63FE0417F3A04CFAB3E1DE890E9771A95DC6419350BA171281C2A30455C0FF00BE7249EE4D523393B9E936EA028E067DC55924E6A8A4476814C431524129E9E94CA399F12CA56370071DC9E952C47C75E2FD41AFBC6FAB5CB1C62F1D467AED5F947E82B33744F6126D61F31FCE915D0D9B6B9DBC13938EB9A649AB6897B76B9B7B5B89F1DD222DFC852BA0B364A340F135E0DB6DA06B17049C0115948C4FE40D2738AEA5724BB17EC7E137C4AD598083C277D12FADD116E07BE1C83FA544ABD38ADCA5466FA1DBF85BF661D4AE2449BC5BAF436B0E72D6FA7832487D8BB8014FE0D5C9531C97C28EA860DBF899F3EFC62B2D3745F88BAFE93A4C060B0D3EEDEDE18D9CB1F930A4963C924827F1E2BB2949CA09BEA72554A33691C7F854B8F15E94C8C37FDBA1218E719F30735A199F76F85E30235C70383CFD2AD189D746309C1E2A9001E460F3545584B65DB18039F5278A9218E6F5C8C53291C6F8B65096D2313B8AA924679A86247C4DA7BDCDF5F2241149713DCC802C71A1667763C00A3A9248E2B36D25767424DBB23E96F853FB3B6A9A94116A1E36BC7D3616C32D95BE0CEC3FDB6E550FB004FD0D7055C7C5690D4EEA78296F3D0FA0FC27F0DFC15E1D89069BE1DB2F357ACD3A79D2FD773E48FC302B91D7A95376742A34E1B23B48D15542AA8000C00063154912D930518FF1AD2C88BB18413C28C9C76A86AFA2293EE559D1D73B931F862B9E7192DD1BC249ECCF82FF006C4F03EA7E19F88D77E208ADE43A3EB72FDA23B851F2A4C402F1B1ECDB8161EA0F7C1C7AB83AAA74D2EA8F37174DC277E8CF1EF06C2F71E2ED1E08F3BDEFA150476F9C735D6729F78785C7EE9720F41F4F4AB316758BC273C1AA421954580E063F9D160B031E3A7E54058E2FC691196CE450092D195159B123C73F63A8BC27A769D7FE21D56EECCEB4B7AB676D0C8E3CD891C22828879CB3391903B11EA2BC7CC2555C9422B4B5FF00AF43DECB214941CE5F15EDFD7A9F5AF8C3C4BA0FC3EF073789BC4CF2883708E28635DCF23B025540F5C0279E00068C2E1135CD332C5E2DA972C0C1F845F1CFC1BF127573A25AD95EE99A9ED678E2B80A56551D76B03D40EC40FC6BD09518BE8702AB247A44B1F932953D3F9D79D387B3958EF8CB9E371CA77B2853D78AA5EF34912F44EE79DFC72F8C7A1FC2AB6B7B4FB17F6A6B3729BE3B55942044E9BDDB048C907031CE0F4AEEA74E31471D4A8E4C8BE027C66D33E2B25EE9B3E96DA56B3671F9B25BEFDE9245BB6EF538078240208EE3AF6A9D38C9598A33945DC77C40D77C24FE258BE1DEB62DEEAEB54B49275B3B88C346F129EFBB8249070064FCA4F18AF0EA539D3BCE3B267B94270A8D425BB3E3CB0F06699A7FED2F77A4F870F9BA4E97279E7E6DE212621F26E3D76BB639E78F506BD9C2CE55294653DCF171B0852AB28C363EA4F0E4588909F4E99E95D471337C7DCC550BA8C354586680039C718FCA80394F150DD031F6CFF3ACD92729F0C7E12F81B4CF11C3E2CB7B3B89AF95FCD892798BC50499392A31D41CE324E3A8E6BE7B158BACA72A4F6FD0FABC260A83A71AF1D5B5F8F5FC4F5BF8F9E027F8B1F0EADB4ED1EFA0B7BFB4B81776E27242390ACA5188E47DEEB83C8F7AF5A8558CE2AC78788A33A736A48F3AFD997E01F89BC1DE38FF0084AFC5ED6D6A6C5244B3B6826121919D4A9762380A01381D73E98E776CC123E86BF9D1EE484E7B1C579388AAA53D0F4E8D36A1A9143308E557390179ACA1539649973A7CD168F16FDA6BE07DFF00C4AD56DFC49E1CD46D16FD2DD6DE7B5B9728B2AAB12ACAC01C1F9B907B01CF63EBC2AC64B73CC9D3945EC5CFD9CBE13A7C22B2BED6BC45A85BDD6BD7F1F9023B662E90C79DC501382C4B0049C60607E3157110A6AED9B50C2D4AD2B245BF8A9E09F08FC408A37F1368F15DC909261995DA3923CF254329071EC4E3DABC358AA94DB7176B9EEAC1529A519ABD8E0349F0BF867C2B76348F0DE991D9C40EF988767791F1C6E66249C03C0CE0678AF572F752A2756A3DF6FEBFAD8F233554A938D1A4AD6D5FABFEBF13D07488D5546D18C015E99E39A4D4D021954580A00538A00E47C6C6FA3D2AE5EC2DC5CDD22168E176C0908E76E4F427A67B66A1891E7DF01FE2845E23D7753D02EEC1F4CBAB63E64304B26E7600E241D060AB638F73E95E066945A92AABE67D3E4B594A9BA2DEAB55FD7F5B9EF7A6DF5DDB91F659CA062091D457152ACE1B1E8D5A34EA2F7D1B96BA85ECC3135C311E95A4B11525A5CE29E1E947E145A1206E3AD4F35CCDC6C2F99B4B104FE5D69F3585CB720BC7936652475383D0D27392D99A4231BEA8E7EE212B319A47767CF56359C9DF567A11969648C5F136AD0E9DA5DC5E481D9618D9F620DCCD819C28EEC7A01EB52A2EAC9463BB1CA51A50739EC8F0DF82BE31D6BC67777735DE8B2DB98EE2469AE58FEEC658948973C9600807D028EE40AFAAA3054E0A0BA1F1789A8EAD47525BB3DE34E0444323F4AD4E665A6E38CFBD58D0C1FCFA532871C63B7E7484277A6328DFD989533D40E4FBD4B4238BBFF0DDB41AC1D5EDACEDD350E86E5635F38AFA16C671EC78ACAA538D48B8C968CBA55674A4A707668DFD135C127EE6E3E49B182A78DDEE335F378AC1CF0EEFBC7FADCFAFC163E9E2E36DA5DBFC8EA6CB510C71BBF1FEB5C9CC74CE91AD05D8201CE3354A4734A9931B8E08248CFA9A7CC47214EE6F42EE1B80E3A75A4E46D1A473BAAEAA91A33BBAAA29EBDAA62A5395A2AECE9B469C79A6EC8E4EE5EE35AB9525645B753F2861F78F727F5AFA2C0E0BD82E697C4CF96CCB31FAD3E486915F8FF5D0DDD234F1128F9470319F4F6AF44F24DB8504680607E54085622A8A486D318B907B7E5484071C76E6800EDD314010CF6D1CAAD95E4D160B1CCEB1A742581518FE2CF7A86AE09D8E767D7354D2DBF752ACA00C6D9467BFAF5AE0AB97509EB6B7A1E9D0CDB134D59BBAF3FEAE6C7857C77A95F5EA5BC9A21F28AB7EFD19B60C741F748EBC75AF3317838508F3296BDBA9ECE03153C5D450946CBBF4FEBE674F7DE229A1B29E58B4C9267446658C360B10338CE3BE2BCFA7EF4945E88F56AE15D3A6E69DDA5B77384D47C75AEC92085B471A6063C79FB9891DF190077AF62965D465F6EFE963E7EB66788A7BD3E5F5BFFC0174D79B517F3AEE7795F70EA381F957A946853A4AD0563C5AF89AB5DDEA4AFF00D763B5D26D22550E00DD8F4ADCE7358281D1707DA8244391CE6A8A4267AE79EDC503023A8E050028E28010D002FB0140115C4A23439EB8E286071BE2AD76DECADA59EE2711C31A96666E3FFD7F4EF59CA4A2AECD28D19D69AA74D5DB3C3FC49E2ED4755BA0BA697B4881CA8E0BBF39C93DBA741F8935E4D6C64A4F4D11F7996F0E53A31BD54A537F72FEBBBFC0F47F04FC5DD13ECF1DA78B2C66B09D540373047E642F81F7B68F997E8323E9D2BCD9504F547656C2D5A7A47FAFD0EAAF3E29FC3186032C3ACBDC38FF009651D8CDB9BFEFB403F5A4A83472AA789D9AFC4F26F88DF106F7C558B3D16D26D334D47DC1DDF134C474CE0E07D067EB5AD38AA6EFD4F4A965F2A91FDE2BAF3DBFE090F833C732DA5CC76FABB0784E144F8C107FDAC76F71FF00D71E950C635A4CF9ECD78723CBED30BBF6FF002FF2FB8F72D0F548E58D59581DDEFDABD3B9F16D58E8E37122E46298808F615452131834001FC2818B4084A0028031F5FBA6489803818ED9A9623E76F8A9AECBA86BDFD98AC7ECD6A41618FBD2119CFE00E3F3AF271955CA5CBD11F75C37828D2A5EDDFC52FCBFE0DAFF0071CEE9C99766F4C0E9D33DFF00CFAD79F23ECA82BB6CD45C67919FC2B23B9128418FBA2A6E6AA24338CA9C1FA60639AA46735A68635D81E7BE3A1F9BD7AF35B4763CCAA97333D23E0CF88649237D226704DB80D093C929E9F81207E3ED5EB60AAB6B91F43F3DE23C1469D455E1F6B7F5FF00827B8E9736F887CDFAD779F32688CE3AE7F1AA4341903A9140013401FFD9

[client9]

thanks flily ... I'll work on another test case for this.

[flily]

ok, but you misspell my name.

[client9]

My Apologizes. fixed!

I'm concerned my automated tests aren't catching this as it's very obvious the over-read is happening. I will investigate and report back.

[client9]

gcc --version
gcc (GCC) 4.7.2 20121109 (Red Hat 4.7.2-8)

with

-fstackprotector

with buffer over-read

== valgrind does not detect it, and returns error free.

Removing -fstackprotector, allows valgrind to detect the over-read correctly.

Conclusion: -fstackprotector did not protect the stack and caused silent failure.