Bug 8426 - Buffer overflow in httpd
Summary: Buffer overflow in httpd
Status: RESOLVED FIXED
Alias: None
Product: Busybox
Classification: Unclassified
Component: Networking (show other bugs)
Version: unspecified
Hardware: PC All
: P5 normal
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-22 17:34 UTC by inguin
Modified: 2015-10-23 09:50 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description inguin 2015-10-22 17:34:44 UTC 
There is a bug in Busybox httpd that allows an attacker to provoke a heap buffer overflow: When a client requests a URL that points to a directory and omits the trailing slash, the httpd will generate a 302 Found response. The response contains a Location: header that copies the client-provided URL path and query string. There is no length check when writing those strings into iobuf (httpd.c:970). The data originally comes from iobuf, but together with the remaining header lines the total response size can exceed the buffer size.

Steps to reproduce:

mkdir test
python -c 'print("get /test?" + ("x" * 8192))' | valgrind ./busybox httpd -i -h .
Comment 1 Denys Vlasenko 2015-10-23 09:50:48 UTC 
Fixed, thanks!