Project

General

Profile

Bug #713

closed

UNIX_PATH_MAX - bad assumption - buffer overflow

Added by Anonymous over 14 years ago. Updated about 13 years ago.

Status:
Fixed
Priority:
Normal
Category:
core
Target version:
ASK QUESTIONS IN Forums:

Description

There is at least one buffer overflow in src/spawn-fcgi.c, since if UNIX_PATH_MAX is not defined, it is set to 108, which may NOT be assumed! One should use sizeof() instead.

You should also check src/mod_fastcgi.c, src/mod_scgi.c and src/spawn-fcgi.c, I was not able to exploit the overflow in src/spawn-fcgi.c in any kind, but this is generaly a very bad practice and could lead to problems when using external management applications and/or lead to potential security problems in those modules; now or in the future. Maybe it already IS vulnerable on some platforms!

At least on OpenBSD/FreeBSD in sys/un.h:


/*
 * Definitions for UNIX IPC domain.
 */
struct sockaddr_un {
        unsigned char   sun_len;        /* sockaddr len including null */
        sa_family_t     sun_family;     /* AF_UNIX */
        char    sun_path[104];          /* path name (gag) */
};

-- jimmy

#1

Updated by jan about 13 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

fixed in r1944

#2

Updated by jan about 13 years ago

fixed in r1944 for 1.4.x and r1945 for 1.5.0

Also available in: Atom