oss-sec mailing list archives
CVE-2015-0841: off-by-one error in network code of monopd/libcapsinetwork
From: Florian Weimer <fw () deneb enyo de>
Date: Mon, 23 Mar 2015 20:32:43 +0100
Niko Tyni privately reported this to us, but we don't think it is exploitable with dlmalloc, so we skipped the embargo: | There's an off-by-one error in libcapsinetwork network handling code, | which was merged into monopd in version 0.9.4. | | From src/listener.cpp, Listener::checkActivity(): | | #define MAXLINE 1024 | [...] | char *readBuf = new char[MAXLINE]; | int n = read((*it)->fd(), readBuf, MAXLINE); | if (n <= 0) // socket was closed | { | (*it)->setStatus(Socket::Closed); | delete[] readBuf; | return; // notification is (still) in earlier iteration | } | readBuf[n] = 0; | | With an input line longer than 1023, this will write zero at readBuf[1024] | which is out of bounds. <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781043> <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781044>
Current thread:
- CVE-2015-0841: off-by-one error in network code of monopd/libcapsinetwork Florian Weimer (Mar 23)