| Summary: | Buffer overflow in httpd | ||
|---|---|---|---|
| Product: | Busybox | Reporter: | inguin |
| Component: | Networking | Assignee: | unassigned |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | busybox-cvs, ronald.wahl |
| Priority: | P5 | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | PC | ||
| OS: | All | ||
| Host: | Target: | ||
| Build: | |||
Fixed, thanks! |
There is a bug in Busybox httpd that allows an attacker to provoke a heap buffer overflow: When a client requests a URL that points to a directory and omits the trailing slash, the httpd will generate a 302 Found response. The response contains a Location: header that copies the client-provided URL path and query string. There is no length check when writing those strings into iobuf (httpd.c:970). The data originally comes from iobuf, but together with the remaining header lines the total response size can exceed the buffer size. Steps to reproduce: mkdir test python -c 'print("get /test?" + ("x" * 8192))' | valgrind ./busybox httpd -i -h .