Ticket #713 (closed defect: fixed)

Opened 2 years ago

Last modified 11 months ago

UNIX_PATH_MAX - bad assumption - buffer overflow

Reported by: jimmy@inet-solutions.be Assigned to: jan
Priority: normal Milestone: 1.4.17
Component: core Version: 1.4.11
Severity: major Keywords:
Cc: Blocking:
Need Feedback: 0

Description (Last modified by moo)

There is at least one buffer overflow in src/spawn-fcgi.c, since if UNIX_PATH_MAX is not defined, it is set to 108, which may NOT be assumed! One should use sizeof() instead.

You should also check src/mod_fastcgi.c, src/mod_scgi.c and src/spawn-fcgi.c, I was not able to exploit the overflow in src/spawn-fcgi.c in any kind, but this is generaly a very bad practice and could lead to problems when using external management applications and/or lead to potential security problems in those modules; now or in the future. Maybe it already IS vulnerable on some platforms!

At least on OpenBSD/FreeBSD in sys/un.h: 

/*
 * Definitions for UNIX IPC domain.
 */
struct sockaddr_un {
        unsigned char   sun_len;        /* sockaddr len including null */
        sa_family_t     sun_family;     /* AF_UNIX */
        char    sun_path[104];          /* path name (gag) */
};

Attachments

Change History

07/02/2006 11:42:39 AM changed by moo

  • description changed.

08/18/2007 09:44:24 AM changed by jan

  • status changed from new to closed.
  • resolution set to fixed.
  • blocking changed.
  • pending changed.

fixed in [1944]

08/18/2007 09:46:59 AM changed by jan

  • milestone set to 1.4.17.

fixed in [1944] for 1.4.x and [1945] for 1.5.0

Add/Change #713 (UNIX_PATH_MAX - bad assumption - buffer overflow)




Change Properties
Action