Mailing Lists
|
|
cURL Mailing List Monthly Index Single Mail
curl-tracker Archives
[curl:bugs] #1193 cURL/libcurl Segmentation Fault due to a NULL pointer in Curl_sasl_create_digest_md5_message()
From: Daniel Stenberg <bagder_at_users.sf.net>
Date: Tue, 12 Feb 2013 22:55:33 +0000
Thanks, this is now fixed in git with commit e6c1e773d9e506e.
--- ** [bugs:#1193] cURL/libcurl Segmentation Fault due to a NULL pointer in Curl_sasl_create_digest_md5_message()** **Status:** closed-fixed **Created:** Mon Feb 11, 2013 10:12 PM UTC by Saran Neti **Last Updated:** Mon Feb 11, 2013 10:12 PM UTC **Owner:** nobody While trying to reproduce libcurl SASL buffer overflow (as noted in advisory: http://curl.haxx.se/docs/adv_20130206.html) using SMTP, I encountered a separate problem that causes cURL to terminate when processing base64 encoded Digest-MD5 challenges. Program received signal SIGSEGV, Segmentation fault. \__strstr_sse2 (haystack_start=0x0, needle_start=0x7ffff7bcf9ae "nonce=\"") at ../string/strstr.c:63 (gdb) bt 0 \__strstr_sse2 (haystack_start=0x0, needle_start=0x7ffff7bcf9ae "nonce=\"") at ../string/strstr.c:63 1 0x00007ffff7bc624f in sasl_digest_get_key_value () from /usr/local/lib/libcurl.so.4 2 0x00007ffff7bc68d9 in Curl_sasl_create_digest_md5_message () from usr/local/lib/libcurl.so.4 3 0x00007ffff7bc1247 in smtp_statemach_act () from /usr/local/lib/libcurl.so.4 4 0x00007ffff7bc02c6 in smtp_multi_statemach () from /usr/local/lib/libcurl.so.4 5 0x00007ffff7bb4adf in multi_runsingle () from /usr/local/lib/libcurl.so.4 6 0x00007ffff7bb54e5 in curl_multi_perform () from /usr/local/lib/libcurl.so.4 7 0x00007ffff7bae3ed in curl_easy_perform () from /usr/local/lib/libcurl.so.4 8 0x0000000000409e87 in operate () 9 0x000000000040229a in main () The following message exchange between cURL and smtp server should reproduce the problem: < 220 dhcp164.vrt.telus.com ESMTP (Ubuntu) > EHLO . < 250-dhcp164.vrt.telus.com Hello . < 250 AUTH DIGEST-MD5 > AUTH DIGEST-MD5 < 334 < eA== When the server sends any base 64 encoded string, in this case "eA==", cURL crashes. The problem is because "chlg" is returned as NULL after function call to Curl_base64_decode() in function Curl_sasl_create_digest_md5_message() in libs/curl_sasl.c. Tested using: curl 7.29.1-DEV (x86_64-unknown-linux-gnu) libcurl/7.29.1-DEV cURL -L was used to connect to a http url containing the smtp redirect. Compiled from: git rev-parse HEAD: 463082bea42d8bea751303da340218a18fb67e85 Patch: diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c index d07387d..4d13263 100644 --- a/lib/curl_sasl.c +++ b/lib/curl_sasl.c @@ -283,6 +283,9 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data, if(result) return result; + if(chlg == NULL) { + return CURLE_LOGIN_DENIED; + } /* Retrieve nonce string from the challenge */ if(!sasl_digest_get_key_value(chlg, "nonce=\"", nonce, sizeof(nonce), '\"')) { I'm not on any mailing list. Please contact me using email directly if I can be of any further assistance. Cheers, Saran Neti, Vulnerability Researcher, Telus Security Labs --- Sent from sourceforge.net because you indicated interest in <https://sourceforge.net/p/curl/bugs/1193/> To unsubscribe from further messages, please visit <https://sourceforge.net/auth/prefs/>Received on 2013-02-12 These mail archives are generated by hypermail. |
Page updated January 05, 2012.
web site info