Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#1959 Possible heap corruption in httpAdapter

Security
closed-fixed
sfcb (1090)
5
2010-07-14
2010-05-15
Chris Buccella
No

There is a particular scenario where heap corruption can exist: if httpMaxContentLength in sfcb.cfg is set to 0 and the Content-Length of a request is 4294967290, getPayload() will try to memcpy() into an incorrectly sized buffer due to wrap around (we add 8 to Content-Length in the malloc).

Also, sfcb.cfg states that the default value for httpMaxContentLength _is_ 0, which is untrue.

Discussion

  • Chris Buccella
    Chris Buccella
    2010-05-15

    • status: open --> pending-fixed
     
  • Chris Buccella
    Chris Buccella
    2010-05-15

    • status: pending-fixed --> open-fixed
     
  • Chris Buccella
    Chris Buccella
    2010-05-15

    Note that this is NOT a problem if httpMaxContentLength is not set in sfcb.cfg; only if it is explicitly set to 0.

     
  • Chris Buccella
    Chris Buccella
    2010-05-15

    committed to CVS HEAD and git master

     
  • Chris Buccella
    Chris Buccella
    2010-05-15

    • status: open-fixed --> pending-fixed
     
    • status: pending-fixed --> closed-fixed
     
  • This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 60 days (the time period specified by
    the administrator of this Tracker).