cURL
Haxx ad
libcurl

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1193 cURL/libcurl Segmentation Fault due to a NULL pointer in Curl_sasl_create_digest_md5_message()

From: Daniel Stenberg <bagder_at_users.sf.net>
Date: Tue, 12 Feb 2013 22:55:33 +0000

- **status**: open --> closed-fixed
- **milestone**: -->

---
** [bugs:#1193] cURL/libcurl Segmentation Fault due to a NULL pointer in Curl_sasl_create_digest_md5_message()**
**Status:** closed-fixed
**Created:** Mon Feb 11, 2013 10:12 PM UTC by Saran Neti
**Last Updated:** Mon Feb 11, 2013 10:12 PM UTC
**Owner:** nobody
While trying to reproduce libcurl SASL buffer overflow (as noted in advisory: http://curl.haxx.se/docs/adv_20130206.html) using SMTP, I encountered a separate problem that causes cURL to terminate when processing base64 encoded Digest-MD5 challenges. 
Program received signal SIGSEGV, Segmentation fault.
\__strstr_sse2 (haystack_start=0x0, needle_start=0x7ffff7bcf9ae "nonce=\"") at ../string/strstr.c:63
 (gdb) bt
0  \__strstr_sse2 (haystack_start=0x0, needle_start=0x7ffff7bcf9ae "nonce=\"") at ../string/strstr.c:63
1  0x00007ffff7bc624f in sasl_digest_get_key_value () from /usr/local/lib/libcurl.so.4
2  0x00007ffff7bc68d9 in Curl_sasl_create_digest_md5_message () from usr/local/lib/libcurl.so.4
3  0x00007ffff7bc1247 in smtp_statemach_act () from /usr/local/lib/libcurl.so.4
4  0x00007ffff7bc02c6 in smtp_multi_statemach () from /usr/local/lib/libcurl.so.4
5  0x00007ffff7bb4adf in multi_runsingle () from /usr/local/lib/libcurl.so.4
6  0x00007ffff7bb54e5 in curl_multi_perform () from /usr/local/lib/libcurl.so.4
7  0x00007ffff7bae3ed in curl_easy_perform () from /usr/local/lib/libcurl.so.4
8  0x0000000000409e87 in operate ()
9  0x000000000040229a in main ()
The following message exchange between cURL and smtp server should reproduce the problem:
< 220 dhcp164.vrt.telus.com ESMTP (Ubuntu)
> EHLO .
< 250-dhcp164.vrt.telus.com Hello .
< 250 AUTH DIGEST-MD5
> AUTH DIGEST-MD5
< 334
< eA==
When the server sends any base 64 encoded string,  in this case "eA==", cURL crashes. 
The problem is because "chlg" is returned as NULL after function call to Curl_base64_decode() in function Curl_sasl_create_digest_md5_message() in libs/curl_sasl.c. 
Tested using:
curl 7.29.1-DEV (x86_64-unknown-linux-gnu) libcurl/7.29.1-DEV cURL -L was used to connect to a http url containing the smtp redirect. 
Compiled from:
git rev-parse HEAD: 463082bea42d8bea751303da340218a18fb67e85
Patch: 
diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
index d07387d..4d13263 100644
--- a/lib/curl_sasl.c
+++ b/lib/curl_sasl.c
@@ -283,6 +283,9 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
   if(result)
     return result;
 
+  if(chlg == NULL) {
+    return CURLE_LOGIN_DENIED;
+  }
   /* Retrieve nonce string from the challenge */
   if(!sasl_digest_get_key_value(chlg, "nonce=\"", nonce,
                                 sizeof(nonce), '\"')) {
I'm not on any mailing list. Please contact me using email directly if I can be of any further assistance. 
Cheers,
Saran Neti,
Vulnerability Researcher, Telus Security Labs
---
Sent from sourceforge.net because you indicated interest in <https://sourceforge.net/p/curl/bugs/1193/>
To unsubscribe from further messages, please visit <https://sourceforge.net/auth/prefs/>
Received on 2013-02-12

These mail archives are generated by hypermail.

donate! Page updated January 05, 2012.
web site info

File upload with ASP.NET