libmms heap-based buffer overflow

2014.04.16
Credit: Alex Chapman
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Hello list, It seems libmms has fixed a buffer overflow in a recent 0.6.4 version with the following commit. http://sourceforge.net/p/libmms/code/ci/03bcfccc22919c72742b7338d02859962861e0e8 This may be triggered via an overly long line of a MMSH (MMS over HTTP) server response, effectively overflowing the buffer which has a static size (defined as BUF_SIZE, didn't check the actual numeric value). Please assign a CVE name for this, if there is none. Kind regards, Z. src/mmsh.c --- a/src/mmsh.c +++ b/src/mmsh.c @@ -310,7 +310,10 @@ len = 0; } } else { - len ++; + if (++len >= sizeof(this->buf)) { + lprintf("answer too large\n"); + return 0; + } } } if (this->stream_type == MMSH_UNKNOWN) {

References:

http://seclists.org/oss-sec/2014/q2/120


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top