Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

libevent (stack) buffer overflow in evutil_parse_sockaddr_port() #318

Closed
asn-d6 opened this issue Jan 27, 2016 · 2 comments
Closed

libevent (stack) buffer overflow in evutil_parse_sockaddr_port() #318

asn-d6 opened this issue Jan 27, 2016 · 2 comments
Labels

Comments

@asn-d6
Copy link

asn-d6 commented Jan 27, 2016

Hello,

in evutil.c:

1798     char buf[128];
...
...
1809     cp = strchr(ip_as_string, ':');
1810     if (*ip_as_string == '[') {
1811         int len;
1812         if (!(cp = strchr(ip_as_string, ']'))) {
1813             return -1;
1814         }
1815         len = (int) ( cp-(ip_as_string + 1) );
1816         if (len > (int)sizeof(buf)-1) {
1817             return -1;
1818         }
1819         memcpy(buf, ip_as_string+1, len);

Length between '[' and ']' is cast to signed 32 bit integer on line 1815. Is the length is more than 2<<31 (INT_MAX), len will hold a negative value. Consequently, it will pass the check at line 1816. Segfault happens at line 1819.

Generate a resolv.conf with generate-resolv.conf, then compile and run poc.c. See entry-functions.txt for functions in tor that might be vulnerable.

Please credit 'Guido Vranken' for this discovery through the Tor bug bounty program.

@azat azat closed this as completed in 329acc1 Feb 1, 2016
@azat
Copy link
Member

azat commented Feb 1, 2016 via email

@azat azat added the backport label Feb 1, 2016
@lfam
Copy link

lfam commented Feb 2, 2017

This was assigned CVE-2016-10196:

http://seclists.org/oss-sec/2017/q1/282

BrendanCunningham pushed a commit to BrendanCunningham/ompi that referenced this issue Jul 26, 2022
…i#10542.

CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-10195
libevent issue: libevent dns remote stack overread vulnerability
    libevent/libevent#317
libevent fixing commit: libevent/libevent@96f64a0

CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-10196
libevent issue: libevent (stack) buffer overflow in
    evutil_parse_sockaddr_port() libevent/libevent#318
libevent fixing commit: libevent/libevent@329acc1

CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-10197
libevent issue: out-of-bounds read in search_make_new()
    libevent/libevent#332
libevent fixing commit: libevent/libevent@ec65c42

Signed-off-by: Brendan Cunningham <bcunningham@cornelisnetworks.com>
jsquyres pushed a commit to BrendanCunningham/ompi that referenced this issue Sep 22, 2022
…i#10542.

CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-10195
libevent issue: libevent dns remote stack overread vulnerability
    libevent/libevent#317
libevent fixing commit: libevent/libevent@96f64a0

CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-10196
libevent issue: libevent (stack) buffer overflow in
    evutil_parse_sockaddr_port() libevent/libevent#318
libevent fixing commit: libevent/libevent@329acc1

CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-10197
libevent issue: out-of-bounds read in search_make_new()
    libevent/libevent#332
libevent fixing commit: libevent/libevent@ec65c42

Signed-off-by: Brendan Cunningham <bcunningham@cornelisnetworks.com>
jsquyres pushed a commit to BrendanCunningham/ompi that referenced this issue Sep 22, 2022
…i#10542.

CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-10195
libevent issue: libevent dns remote stack overread vulnerability
    libevent/libevent#317
libevent fixing commit: libevent/libevent@96f64a0

CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-10196
libevent issue: libevent (stack) buffer overflow in
    evutil_parse_sockaddr_port() libevent/libevent#318
libevent fixing commit: libevent/libevent@329acc1

CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-10197
libevent issue: out-of-bounds read in search_make_new()
    libevent/libevent#332
libevent fixing commit: libevent/libevent@ec65c42

Signed-off-by: Brendan Cunningham <bcunningham@cornelisnetworks.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

3 participants