Project

General

Profile

Bug #2899

security: use-after-free after invalid Range request

Added by gstrauss about 1 month ago.

Status:
Fixed
Priority:
High
Assignee:
-
Category:
core
Target version:
Start date:
2018-08-12
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

security: use-after-free after invalid Range request

credit: Marcus Wengelin

I found a use-after-free bug that is triggered when lighttpd parses the range-header in a client request.

This is a minimal example that triggers the bug:

GET /index.html HTTP/1.0
Range:0
Range:bytes=-

When parsing the first range-header, the following check in request.c fails:
0 == strncasecmp(ds->value->ptr, "bytes=", 6)

This means that con->request.http_range is not set. Later in the code, at this line;
if (ds) array_insert_unique(con->request.headers, (data_unset *)ds)
The range header is inserted into the list of headers.

When the valid range-header is parsed, it passes the check and con->request.http_range is set to point to it.
However, when the following line is reached again:
if (ds) array_insert_unique(con->request.headers, (data_unset *)ds)
The valid range-header is freed and appended to the invalid range-header.

con->request.http_range now points to a free'd buffer. It is then used in http-header-glue.c, which is now an invalid read.

A fix has been committed in d161f53d

Also available in: Atom