Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NULL dereference for invalid Host and If-Modified-* headers #264

mobsense opened this issue Feb 6, 2018 · 1 comment


Copy link

@mobsense mobsense commented Feb 6, 2018


A security vulnerability affecting GoAhead versions 3-4 up to and including 4.0.0 with specially crafted if-modified or host headers has been identified. This bulletin discusses this flaw and its implications.


A HTTP POST request with specially crafted, invalid if-modified and/or Host header fields may cause a NULL dereferences and thus cause a denial of service.


If the "host" field of a http request does not contain a closing IPv6 ']' character a NULL dereference will occur.

If the "if-modified-since" or "if-unmodified-since" headers contain an invalid time such that the month decodes to be greater than 11, a NULL dereference will occur.

Threat Scope

Versions up to and including 4.0.0. Fixed in 4.0.1.


Medium. An attacker could cause a denial of service.


Apply the quick patch below to GoAhead 3.X to 4.X. Alternatively, upgrade to GoAhead 4.0.1.

Quick Patch

In socket.c:

diff --git a/src/socket.c b/src/socket.c
index 36530efd..01fc721d 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -1295,8 +1295,9 @@ PUBLIC int socketParseAddress(cchar *address, char **pip, int *pport, int *secur

                 /* Set ipAddr to ipv6 address without brackets */
                 ip = sclone(address + 1);
-                cp = strchr(ip, ']');
-                *cp = '\0';
+                if ((cp = strchr(ip, ']')) != 0) {
+                    *cp = '\0';
+                }

In time.c:

@@ -575,8 +602,12 @@ static void validateTime(struct tm *tp, struct tm *defaults)
         tp->tm_mday = defaults->tm_mday;
     if (tp->tm_yday < 0) {
-        tp->tm_yday = (leapYear(tp->tm_year + 1900) ?
-            leapMonthStart[tp->tm_mon] : normalMonthStart[tp->tm_mon]) + tp->tm_mday - 1;
+        if (tp->tm_mon <= 11) {
+            tp->tm_yday = (leapYear(tp->tm_year + 1900) ?
+                leapMonthStart[tp->tm_mon] : normalMonthStart[tp->tm_mon]) + tp->tm_mday - 1;
+        } else {
+            tp->tm_yday = defaults->tm_yday;
+        }

Please contact Embedthis if you require further information, test code or assistance at

@mobsense mobsense added this to the 4.0.1 milestone Feb 13, 2018
@mobsense mobsense closed this Feb 13, 2018

This comment has been minimized.

Copy link

@mobsense mobsense commented Mar 1, 2018

Test with:

Set the “if-modified-since” field that is set to the «555555555.5555554555» value.

Set the “Host” field with the «]::aaaaayiii» value.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
1 participant
You can’t perform that action at this time.