oss-sec mailing list archives

Re: CVE request: possible miniupnpc buffer overflow

From: Murray McAllister <mmcallis () redhat com>
Date: Thu, 01 May 2014 10:35:27 +1000

On a related note, I'm not sure if there are other issues close by. For
example, in version 1.9, miniwget.c:

172                         /* copy the remaining of the received data
back to buf */
173                         n = header_buf_used - endofheaders;
174                         memcpy(buf, header_buf + endofheaders, n);

n and endofheaders are signed ints, and header_buf_used is unsigned.
Mixing the types together (and the signed int in the memcpy) may warrant
further investigation.


Upstream investigated this and found it to be safe.

Cheers,

--

Murray McAllister / Red Hat Security Response Team

Current thread:

CVE request: possible miniupnpc buffer overflow Murray McAllister (Apr 29)
- Re: CVE request: possible miniupnpc buffer overflow Murray McAllister (Apr 30)
- Re: CVE request: possible miniupnpc buffer overflow Moritz Muehlenhoff (Jun 06)
- Re: CVE request: possible miniupnpc buffer overflow cve-assign (Jun 06)