oss-sec mailing list archives
CVE request: possible miniupnpc buffer overflow
From: Murray McAllister <mmcallis () redhat com>
Date: Wed, 30 Apr 2014 16:45:26 +1000
Good morning, It was pointed out in https://bugzilla.redhat.com/show_bug.cgi?id=1085618 that miniupnpc version 1.9 fixes a possible buffer overflow: https://github.com/miniupnp/miniupnp/commit/3a87aa2f10bd7f1408e1849bdb59c41dd63a9fe9 I am not familiar with the code but it may be just a crash, with an invalid read here (on line 131): 129 /* parse header lines */ 130 for(i = 0; i < endofheaders - 1; i++) { 131 if(colon <= linestart && header_buf[i]==':') Can a CVE be assigned if one has not been already? On a related note, I'm not sure if there are other issues close by. For example, in version 1.9, miniwget.c: 172 /* copy the remaining of the received data back to buf */ 173 n = header_buf_used - endofheaders; 174 memcpy(buf, header_buf + endofheaders, n); n and endofheaders are signed ints, and header_buf_used is unsigned. Mixing the types together (and the signed int in the memcpy) may warrant further investigation. Cheers, -- Murray McAllister / Red Hat Security Response Team
Current thread:
- CVE request: possible miniupnpc buffer overflow Murray McAllister (Apr 29)
- Re: CVE request: possible miniupnpc buffer overflow Murray McAllister (Apr 30)
- Re: CVE request: possible miniupnpc buffer overflow Moritz Muehlenhoff (Jun 06)
- Re: CVE request: possible miniupnpc buffer overflow cve-assign (Jun 06)