Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NULL dereference for invalid Host and If-Modified-* headers #264

Closed
mobsense opened this issue Feb 6, 2018 · 1 comment
Labels
Milestone

Comments

@mobsense
Copy link

@mobsense mobsense commented Feb 6, 2018

Overview

A security vulnerability affecting GoAhead versions 3-4 up to and including 4.0.0 with specially crafted if-modified or host headers has been identified. This bulletin discusses this flaw and its implications.

Summary

A HTTP POST request with specially crafted, invalid if-modified and/or Host header fields may cause a NULL dereferences and thus cause a denial of service.

Description

If the "host" field of a http request does not contain a closing IPv6 ']' character a NULL dereference will occur.

If the "if-modified-since" or "if-unmodified-since" headers contain an invalid time such that the month decodes to be greater than 11, a NULL dereference will occur.

Threat Scope

Versions up to and including 4.0.0. Fixed in 4.0.1.

Severity

Medium. An attacker could cause a denial of service.

Remedy

Apply the quick patch below to GoAhead 3.X to 4.X. Alternatively, upgrade to GoAhead 4.0.1.

Quick Patch

In socket.c:

diff --git a/src/socket.c b/src/socket.c
index 36530efd..01fc721d 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -1295,8 +1295,9 @@ PUBLIC int socketParseAddress(cchar *address, char **pip, int *pport, int *secur

                 /* Set ipAddr to ipv6 address without brackets */
                 ip = sclone(address + 1);
-                cp = strchr(ip, ']');
-                *cp = '\0';
+                if ((cp = strchr(ip, ']')) != 0) {
+                    *cp = '\0';
+                }

In time.c:

@@ -575,8 +602,12 @@ static void validateTime(struct tm *tp, struct tm *defaults)
         tp->tm_mday = defaults->tm_mday;
     }
     if (tp->tm_yday < 0) {
-        tp->tm_yday = (leapYear(tp->tm_year + 1900) ?
-            leapMonthStart[tp->tm_mon] : normalMonthStart[tp->tm_mon]) + tp->tm_mday - 1;
+        if (tp->tm_mon <= 11) {
+            tp->tm_yday = (leapYear(tp->tm_year + 1900) ?
+                leapMonthStart[tp->tm_mon] : normalMonthStart[tp->tm_mon]) + tp->tm_mday - 1;
+        } else {
+            tp->tm_yday = defaults->tm_yday;
+        }
     }

Please contact Embedthis if you require further information, test code or assistance at dev@embedthis.com.

@mobsense mobsense added this to the 4.0.1 milestone Feb 13, 2018
@mobsense mobsense closed this Feb 13, 2018
@mobsense

This comment has been minimized.

Copy link
Author

@mobsense mobsense commented Mar 1, 2018

Test with:

Set the “if-modified-since” field that is set to the «555555555.5555554555» value.

Set the “Host” field with the «]::aaaaayiii» value.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.