WAFer icon indicating copy to clipboard operation
WAFer copied to clipboard

Published 20 hours ago verified publisher icon riolet

Buffer overflow in client_error

Open nezza opened this issue 10 years ago • 4 comments

After having a quick look at the code I think you should put a big warning on the README that this code is not at all ready for anything that listens on a public port. Besides the stack overflow that was already reported by MagicalTux there's also this code which will cause a bufferoverflow if msg & longmsg are too long:

void client_error(int fd, int status, char *msg, char *longmsg){
    char buf[MAXLINE];
    sprintf(buf, "HTTP/1.1 %d %s\r\n", status, msg);
    sprintf(buf + strlen(buf),
            "Content-length: %lu\r\n\r\n", strlen(longmsg));
    sprintf(buf + strlen(buf), "%s", longmsg);
    writen(fd, buf, strlen(buf));
}

Pretty sure this is not the only problem remaining.

nezza avatar Jul 25 '14 12:07 nezza

Should be using nprintf()

MagicalTux avatar Jul 25 '14 12:07 MagicalTux

And how is nprintf more secure?

nezza avatar Jul 25 '14 16:07 nezza

nprintf() dynamically allocates buffer space to fit the whole string and will not overflow the buffer.

MagicalTux avatar Jul 25 '14 22:07 MagicalTux

nprintf() NOW dynamically allocates buffer space. As you know. Because you fixed it. https://github.com/riolet/nope.c/issues/14

nezza avatar Jul 26 '14 01:07 nezza