Browse Source

[core] fix one-byte OOB read (underflow)

In some circumstances, if the character on the heap prior to the
beginning of the request is '\r', then it would be overwritten with '\0'

With default compiler flags, this does not appear to occur in practice
and we therefore believe it to be a low-probability vulnerability.

(thx Antonio Morales)

This issue was discovered and reported by GSL team member @
<https://github.com/antonio-morales>antonio-morales
<https://github.com/antonio-morales>  (Antonio Morales)
tags/lighttpd-1.4.55
Glenn Strauss 5 months ago
parent
commit
f37c16aadd
1 changed files with 0 additions and 2 deletions
  1. +0
    -2
      src/request.c

+ 0
- 2
src/request.c View File

@@ -603,9 +603,7 @@ static size_t http_request_parse_reqline(server *srv, connection *con, buffer *h
size_t j, jlen;

/* \r\n -> \0\0 */
#ifdef __COVERITY__
if (0 == i) return 400;
#endif
if (ptr[i-1] == '\r') {
ptr[i-1] = '\0';
} else if (http_header_strict) { /* '\n' */


Loading…
Cancel
Save