cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Bug#74569: [SECURITY] buffer overflow in error handling

From: Domenico Andreoli <cavok_at_filibusta.crema.unimi.it>
Date: Fri, 13 Oct 2000 15:03:26 +0200

some debian user found a buffer overflow in curl, at the moment i cannot check
new releases of curl for still having it. it doesn't seem such a big security
hole but nobody really knows... :)

complete bug report and a patch follow.

i warmly suggest to patch the cvs tree in order to avoid this problem.

cheers

On Wed, Oct 11, 2000 at 11:52:38PM +0100, Colin Phipps wrote:
> Package: curl-ssl
> Version: 6.0-1.1
> Severity: grave
>
> There's a buffer overflow in curl's error handling, which can be triggered
> by badly formed responses from the remote server.
>
> cph_at_micro:~/security% cat crash-curl
> 220 Hi
> 230 Ok
> 227 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
> (I've split that onto multiple lines for this email, but in reality the
> A's are all on one line)
>
> cph_at_micro:~/security% cat crash-curl | nc -l -p 1234
>
> then, in another terminal...
>
> cph@micro:~% curl ftp://localhost:1234/
> curl: Couldn't interpret this 227-reply: 227 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> zsh: segmentation fault curl ftp://localhost:1234/
>
> (again I split that into shorter lines)
>
> It's a simple buffer overflow, which a malicious remote ftp server could
> exploit. This fix causes the error message to be truncated to the buffer
> size correctly, and I've verified that it fixes the crash.
>
> --- sendf.c.orig Wed Oct 11 23:12:18 2000
> +++ sendf.c Wed Oct 11 23:13:09 2000
> @@ -77,7 +77,7 @@ void failf(struct UrlData *data, char *f
> va_list ap;
> va_start(ap, fmt);
> if(data->errorbuffer)
> - vsprintf(data->errorbuffer, fmt, ap);
> + vsnprintf(data->errorbuffer, URLGET_ERROR_SIZE, fmt, ap);
> else /* no errorbuffer receives this, write to stderr instead */
> vfprintf(stderr, fmt, ap);
> va_end(ap);
>
> Colin
>
> -- System Information
> Debian Release: 2.2
> Architecture: i386
> Kernel: Linux micro 2.4.0-test1-ac10 #10 Tue Oct 10 23:25:53 BST 2000 i686
>
> Versions of packages curl-ssl depends on:
> ii libc6 2.1.3-13 GNU C Library: Shared libraries an
> ii libssl09 0.9.4-5 SSL shared libraries
>
>
>

-----[ Domenico Andreoli, aka cavok
 --[ curl -s http://www.freeweb.org/free/cavok/gpgkey.asc | gpg --import
  --[ 3A0F 2F80 F79C 678A 8936 4FEE 0677 9033 A20E BC50
Received on 2000-10-14