New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap buffer overflow in dcputs #80
Comments
|
This issue is not reproducible since 8b29e8e. I'll investigate it to make sure it is really fixed. For the record, this issue was assigned identifier CVE-2017-11732. |
|
Hum, in fact the problem is still here. First thing I noticed after some debugging in This should be easy to fix, something like I'll submit a PR once we're done with #94. I'll also have to make sure it's enough to fix the CVE. |
|
Oh, right, here is another issue: This issue is much trickier to fix because it may involve some non-trivial code refactoring. |
The dcputs function appends passed string at the end of the global string buffer (dcstr), adapting the buffer's size if necessary. In order to determine whether a buffer size update is necessary or not, the size of passed string is retrieved using "int len=strlen(s)", which is incorrect since strlen returns passed string's size without null character (should be int len=strlen(s)). This means that passed string may be strcat-ed to the buffer even if the buffer it to small to hold it, leading to a heap buffer overflow. This commit addresses this issue (CVE-2017-11732, closes libming#80).
The dcputs function appends passed string at the end of the global string buffer (dcstr), adapting the buffer's size if necessary. Unfortunately, the strsize variable which holds the global buffer's size is initialized to 0 in dcinit(), which means that no place for the \0 character is reserved. Hence, whenever dcputs tries to strcat a string to the global buffer, a byte may be missing leading to a heap buffer overflow. This commit addresses this issue (CVE-2017-11732, closes libming#80).
|
I have pull requested a fix for the first issue mentioned here. Even if I wasn't completely wrong, the first explanation/fix I provided here wasn't completely right and I had to investigate this issue further. You'll find more detailed explanations in #96. Concerning the second issue: Nothing critical, and IMO it's a separate issue not related to CVE-2017-11732. I'll open a separate bug report and investigate it further. |
|
Thanks, I've merged #96
|
On libming latest version, a heap buffer overflow was found in function dcputs .
testcase : https://github.com/bestshow/p0cs/blob/master/heap-buffer-overflow-in_dcputs
Credit : ADLab of Venustech
The text was updated successfully, but these errors were encountered: