From warlord at MIT.EDU Mon May 15 00:58:51 2006 From: warlord at MIT.EDU (Derek Atkins) Date: Mon May 15 00:58:58 2006 Subject: [Namazu-devel-en] potential buffer overrun in namazu.cgi? Message-ID: Hi. I think I found a potential buffer overrun in namazu.cgi in 2.0.16. I don't think this overrun is exploitable by an end user, but it could cause memory corruption if the administrator changes your templates. in src/form.c you have this code: /* Expand buf memory for replacing {cgi} and {doc} */ buf = (char *)realloc(buf, strlen(buf) + strlen(script_name) + strlen(document_name) + 2); if (buf == NULL) { return NULL; } /* Replace {cgi} with a proper namazu.cgi location */ while ((p = strstr(buf, "{cgi}")) != NULL) { subst(p, "{cgi}", script_name); } /* Replace {doc} with the name of the calling document eg, using SSI */ while ((p = strstr(buf, "{doc}")) != NULL) { subst(p, "{doc}", document_name); } return buf; The realloc is assuming you have one instance of {cgi} and one instance of {doc} in the templates, but the scripts will replace every instance of those strings regardless of how many occur. Earlier in the code you set document_name to script_name (if there is no DOCUMENT_URI environment variable set) so in many cases these are the same, so as long as you only have TWO instances of {cgi} or one instance of {cgi} and one instance of {doc} then you're probably okay. BUT if an administrator changes the template and adds another instance of {cgi} you could overrun your buffer. It might be better to count the number of instances of {cgi} and {doc} and then reallocate the buffer accordingly. Here's a sample of how to do that: int cgiCount = 0, docCount = 0; ... for (p = buf; ( p = strstr(p, "{cgi}") ) != NULL; p += 5) cgiCount++; for (p = buf; ( p = strstr(p, "{doc}") ) != NULL; p += 5) docCount++; buf = (char *)realloc(buf, strlen(buf) + (cgiCount * (strlen(script_name) + 1)) + (docCount * (strlen(document_name) + 1))); This way you can have as many copies of {cgi} or {doc} in the template and not have to worry about overrunning your buffer. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available From yw3t-trns at asahi-net.or.jp Mon May 15 12:58:29 2006 From: yw3t-trns at asahi-net.or.jp (Tadamasa Teranishi) Date: Mon May 15 12:58:10 2006 Subject: [Namazu-devel-en] Re: potential buffer overrun in namazu.cgi? References: Message-ID: <4467FC65.869A8E72@asahi-net.or.jp> Derek Atkins wrote: > > I think I found a potential buffer overrun in namazu.cgi in 2.0.16. Thank you for the report about you. Because another problem was found, it corrects it collectively. -- ===================================================================== TADAMASA TERANISHI yw3t-trns@asahi-net.or.jp http://www.asahi-net.or.jp/~yw3t-trns/index.htm Key fingerprint = 474E 4D93 8E97 11F6 662D 8A42 17F5 52F4 10E7 D14E From warlord at MIT.EDU Thu May 18 01:46:37 2006 From: warlord at MIT.EDU (Derek Atkins) Date: Thu May 18 01:46:42 2006 Subject: [Namazu-devel-en] Re: [PATCH] potential buffer overrun in namazu.cgi? In-Reply-To: <4467FC65.869A8E72@asahi-net.or.jp> (Tadamasa Teranishi's message of "Mon, 15 May 2006 12:58:29 +0900") References: <4467FC65.869A8E72@asahi-net.or.jp> Message-ID: In case you care, here's the patch I used, against 2.0.16. This patch also implements a third replacement, {version}, so that I can put the namazu version# into the output without requiring the templates to know what version of namazu is running. -derek -------------- next part -------------- A non-text attachment was scrubbed... Name: namazu-2.0.16-formversion.patch Type: text/x-patch Size: 1296 bytes Desc: patch to namazu form.c Url : http://www.namazu.org/pipermail/namazu-devel-en/attachments/20060517/729e1fbb/namazu-2.0.16-formversion.bin -------------- next part -------------- -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available From yw3t-trns at asahi-net.or.jp Thu May 18 02:25:54 2006 From: yw3t-trns at asahi-net.or.jp (Tadamasa Teranishi) Date: Thu May 18 02:25:40 2006 Subject: [Namazu-devel-en] Re: [PATCH] potential buffer overrun in namazu.cgi? References: <4467FC65.869A8E72@asahi-net.or.jp> Message-ID: <446B5CA2.AAD3677D@asahi-net.or.jp> Derek Atkins wrote: > > In case you care, here's the patch I used, against 2.0.16. This patch > also implements a third replacement, {version}, so that I can put the > namazu version# into the output without requiring the templates to > know what version of namazu is running. As for Namazu 2.0.X, the function enhancing is scheduled not to be done in the future. (Only the bug fix) However, it is likely to be enhanced in Namazu 2.2.X (It is thought that the format changes) to use the one other than "{cgi}" "{doc}". By the way, The buffer is similarly broken when VERSION is 10 characters or more though "{version}" is 9 characters. It doesn't become 10 characters or more in a usual release version. However, the one under development might exceed and gets 10 characters. ex) 2.0.17pre1 > Because another problem was found, it corrects it collectively. The correction of stability version (stable-2-0) source of CVS has corrected and development version (HEAD) sources. -- ===================================================================== TADAMASA TERANISHI yw3t-trns@asahi-net.or.jp http://www.asahi-net.or.jp/~yw3t-trns/index.htm Key fingerprint = 474E 4D93 8E97 11F6 662D 8A42 17F5 52F4 10E7 D14E From warlord at MIT.EDU Thu May 18 02:53:11 2006 From: warlord at MIT.EDU (Derek Atkins) Date: Thu May 18 02:53:14 2006 Subject: [Namazu-devel-en] Re: [PATCH] potential buffer overrun in namazu.cgi? In-Reply-To: <446B5CA2.AAD3677D@asahi-net.or.jp> (Tadamasa Teranishi's message of "Thu, 18 May 2006 02:25:54 +0900") References: <4467FC65.869A8E72@asahi-net.or.jp> <446B5CA2.AAD3677D@asahi-net.or.jp> Message-ID: Tadamasa Teranishi writes: > Derek Atkins wrote: >> >> In case you care, here's the patch I used, against 2.0.16. This patch >> also implements a third replacement, {version}, so that I can put the >> namazu version# into the output without requiring the templates to >> know what version of namazu is running. > > As for Namazu 2.0.X, the function enhancing is scheduled not to be > done in the future. (Only the bug fix) Well, sure. I figured adding {version} wasn't really a "feature" per se -- it was only a couple lines of code and made my life easier. You're welcome to choose not to accept it into 2.0.x > However, it is likely to be enhanced in Namazu 2.2.X (It is thought > that the format changes) to use the one other than "{cgi}" "{doc}". Okay. > By the way, > The buffer is similarly broken when VERSION is 10 characters or > more though "{version}" is 9 characters. > It doesn't become 10 characters or more in a usual release version. > However, the one under development might exceed and gets 10 > characters. > > ex) 2.0.17pre1 Yeah.. I kind of assumed that you could control the version strings.. I figured it would be safe for any XX.YY.ZZ. I didn't think about 'preXX' releases or 'rcXX' releases. Personally I dislike that approach to release engineering.. The time to release a 2.0.17pre1 and then a 2.0.17 is no more significant than the time to release a 2.0.17 and then a 2.0.18, so why release pre-releases? >> Because another problem was found, it corrects it collectively. > > The correction of stability version (stable-2-0) source of CVS has > corrected and development version (HEAD) sources. That's fine, but I'm not running against CVS, and you haven't released a 2.0.17. Thanks, -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available From yw3t-trns at asahi-net.or.jp Thu May 18 03:13:24 2006 From: yw3t-trns at asahi-net.or.jp (Tadamasa Teranishi) Date: Thu May 18 03:13:11 2006 Subject: [Namazu-devel-en] Re: [PATCH] potential buffer overrun in namazu.cgi? References: <4467FC65.869A8E72@asahi-net.or.jp> <446B5CA2.AAD3677D@asahi-net.or.jp> Message-ID: <446B67C4.251F8FCC@asahi-net.or.jp> Derek Atkins wrote: > > > ex) 2.0.17pre1 ... > approach to release engineering.. The time to release a 2.0.17pre1 > and then a 2.0.17 is no more significant than the time to release a > 2.0.17 and then a 2.0.18, so why release pre-releases? This is a story only that coding assumed that VERSION is within 9 characters is dangerous. > That's fine, but I'm not running against CVS, and you haven't released > a 2.0.17. Even if CVS cannot be used, tarball can be acquired from the following URL. (Example: stable-2-0) http://cvs.namazu.org/namazu/?only_with_tag=stable-2-0 > The correction of stability version (stable-2-0) source of CVS has > corrected and development version (HEAD) sources. It corrected it to stability version (stable-2-0) ahead. -- ===================================================================== TADAMASA TERANISHI yw3t-trns@asahi-net.or.jp http://www.asahi-net.or.jp/~yw3t-trns/index.htm Key fingerprint = 474E 4D93 8E97 11F6 662D 8A42 17F5 52F4 10E7 D14E From warlord at MIT.EDU Thu May 18 03:24:41 2006 From: warlord at MIT.EDU (Derek Atkins) Date: Thu May 18 03:24:58 2006 Subject: [Namazu-devel-en] Re: [PATCH] potential buffer overrun in namazu.cgi? In-Reply-To: <446B67C4.251F8FCC@asahi-net.or.jp> References: <4467FC65.869A8E72@asahi-net.or.jp> <446B5CA2.AAD3677D@asahi-net.or.jp> <446B67C4.251F8FCC@asahi-net.or.jp> Message-ID: <20060517142441.9xiqjp1lu7wcgw0s@webmail.mit.edu> Quoting Tadamasa Teranishi : >> approach to release engineering.. The time to release a 2.0.17pre1 >> and then a 2.0.17 is no more significant than the time to release a >> 2.0.17 and then a 2.0.18, so why release pre-releases? > > This is a story only that coding assumed that VERSION is within 9 > characters is dangerous. True. Now that your changes are in CVS and I can look at them, it would be easy to add {version} back into your infrastructure. At the time I wrote the patch I didn't see your changes. But I still think I'll wait for a 2.0.17 release before I update my server. Thanks, -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available