[Namazu-devel-en] potential buffer overrun in namazu.cgi?

Derek Atkins warlord at MIT.EDU
Mon May 15 00:58:51 JST 2006 

Hi.

I think I found a potential buffer overrun in namazu.cgi in 2.0.16.  I
don't think this overrun is exploitable by an end user, but it could
cause memory corruption if the administrator changes your templates.

in src/form.c you have this code:

    /* Expand buf memory for replacing {cgi} and {doc} */
    buf = (char *)realloc(buf, strlen(buf) + strlen(script_name) + strlen(document_name) + 2);
    if (buf == NULL) {
        return NULL;
    }

    /* Replace {cgi} with a proper namazu.cgi location */
    while ((p = strstr(buf, "{cgi}")) != NULL) {
	subst(p, "{cgi}", script_name);
    }

    /* Replace {doc} with the name of the calling document eg, using SSI */
    while ((p = strstr(buf, "{doc}")) != NULL) {
	subst(p, "{doc}", document_name);
    }

    return buf;

The realloc is assuming you have one instance of {cgi} and one
instance of {doc} in the templates, but the scripts will replace every
instance of those strings regardless of how many occur.

Earlier in the code you set document_name to script_name (if there is
no DOCUMENT_URI environment variable set) so in many cases these are
the same, so as long as you only have TWO instances of {cgi} or one
instance of {cgi} and one instance of {doc} then you're probably okay.
BUT if an administrator changes the template and adds another instance
of {cgi} you could overrun your buffer.

It might be better to count the number of instances of {cgi} and {doc}
and then reallocate the buffer accordingly.  Here's a sample of how to
do that:

   int cgiCount = 0, docCount = 0;
   ...

   for (p = buf; ( p = strstr(p, "{cgi}") ) != NULL; p += 5)
       cgiCount++;
   for (p = buf; ( p = strstr(p, "{doc}") ) != NULL; p += 5)
       docCount++;

   buf = (char *)realloc(buf, strlen(buf) +
                         (cgiCount * (strlen(script_name) + 1)) +
                         (docCount * (strlen(document_name) + 1)));

This way you can have as many copies of {cgi} or {doc} in the template
and not have to worry about overrunning your buffer.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available

More information about the Namazu-devel-en mailing list