File libhx-fixed-buffer-overflow.dif of Package libHX
From 904a46f90dd3f046bfac0b64a5e813d7cd4fca59 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@medozas.de>
Date: Mon, 16 Aug 2010 19:08:51 +0200
Subject: [PATCH] string: fixed buffer overflow in HX_split when too few fields are present
When HX_split is called with a maximum number of desired fields (4th
argument != 0), passing in a string that has less fields than that led
to a buffer overrun (write beyond end of malloc'd area).
CVSS Base Score: 10
- Impact Subscore: 10
- Exploitability Subscore: 10
CVSS Temporal Score: 7.4
CVSS Environmental Score: Undefined
Overall CVSS Score: 7.4
CVSS Base vector:: AV:N/AC:L/Au:N/C:C/I:C/A:C
- AV: libHX may be used by network services
- Au: some services may not require authentication
- A: can cause crash when result is freed
CVSS Temporal vectors:: RL:O/RC:C
Affects all versions prior to, and including, 3.5.
---
src/string.c | 2 +-
src/tx-string.cpp | 12 ++++++++++++
3 files changed, 15 insertions(+), 1 deletions(-)
Index: libHX-2.9/src/string.c
===================================================================
--- libHX-2.9.orig/src/string.c
+++ libHX-2.9/src/string.c
@@ -135,7 +135,7 @@ EXPORT_SYMBOL char **HX_split(const char
}
}
- if (max == 0)
+ if (max == 0 || *cp < max)
max = *cp;
else if (*cp > max)
*cp = max;
Index: libHX-2.9/src/tx-string.cpp
===================================================================
--- libHX-2.9.orig/src/tx-string.cpp
+++ libHX-2.9/src/tx-string.cpp
@@ -132,6 +132,17 @@ static void t_split(void)
free(a1);
}
+static void t_split2(void)
+{
+ static const char tmp[] = "";
+ int c = 0;
+ char **a;
+
+ a = HX_split(tmp, " ", &c, 6);
+ printf("Got %d fields\n", c);
+ HX_zvecfree(a);
+}
+
int main(int argc, const char **argv)
{
hxmc_t *tx = NULL;
@@ -151,5 +162,6 @@ int main(int argc, const char **argv)
t_strncat();
t_strsep();
t_split();
+ t_split2();
return EXIT_SUCCESS;
}