potential buffer overflow in cgi.c

Brought to you by: akari, brevantes, contikimoose, foxsteve

#227 potential buffer overflow in cgi.c

Milestone: Minor_Bug

Status: open

Owner: nobody

Labels: Server Side (47)

Priority: 5

Updated: 2009-04-05

Created: 2009-04-05

Creator: Charles Reiss

Private: No

unescape_url() in cgi.c does not handle the case where the string passed to it ends with '%' or '%x'; in those cases, it can jump over the \0 and over the end of supplied buffer.

(I do not have a demonstration of this bug that can actually be triggered remotely; however, it does appear that passing "%&" to http_formdata() (which presumably can be done with an appropriately constructed HTTP request) will overflow a buffer on the heap if malloc() returned non-zero'd memory.)

Patch included.

Discussion

Charles Reiss - 2009-04-05

patch to cgi.c

cgi.diff

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

potential buffer overflow in cgi.c

Group

Searches

Help

#227 potential buffer overflow in cgi.c

Discussion