[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE request: possible miniupnpc buffer overflow
From:       Murray McAllister <mmcallis () redhat ! com>
Date:       2014-04-30 6:45:26
Message-ID: 53609C06.8010809 () redhat ! com
[Download RAW message or body]

Good morning,

It was pointed out in
https://bugzilla.redhat.com/show_bug.cgi?id=1085618 that miniupnpc
version 1.9 fixes a possible buffer overflow:

https://github.com/miniupnp/miniupnp/commit/3a87aa2f10bd7f1408e1849bdb59c41dd63a9fe9

I am not familiar with the code but it may be just a crash, with an
invalid read here (on line 131):

129                         /* parse header lines */
130                         for(i = 0; i < endofheaders - 1; i++) {
131                                 if(colon <= linestart &&
header_buf[i]==':')

Can a CVE be assigned if one has not been already?

On a related note, I'm not sure if there are other issues close by. For
example, in version 1.9, miniwget.c:

172                         /* copy the remaining of the received data
back to buf */
173                         n = header_buf_used - endofheaders;
174                         memcpy(buf, header_buf + endofheaders, n);

n and endofheaders are signed ints, and header_buf_used is unsigned.
Mixing the types together (and the signed int in the memcpy) may warrant
further investigation.

Cheers,

--
Murray McAllister / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]