miniupnpc buffer overflow

2014.04.30
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Good morning, It was pointed out in https://bugzilla.redhat.com/show_bug.cgi?id=1085618 that miniupnpc version 1.9 fixes a possible buffer overflow: https://github.com/miniupnp/miniupnp/commit/3a87aa2f10bd7f1408e1849bdb59c41dd63a9fe9 I am not familiar with the code but it may be just a crash, with an invalid read here (on line 131): 129 /* parse header lines */ 130 for(i = 0; i < endofheaders - 1; i++) { 131 if(colon <= linestart && header_buf[i]==':') Can a CVE be assigned if one has not been already? On a related note, I'm not sure if there are other issues close by. For example, in version 1.9, miniwget.c: 172 /* copy the remaining of the received data back to buf */ 173 n = header_buf_used - endofheaders; 174 memcpy(buf, header_buf + endofheaders, n); n and endofheaders are signed ints, and header_buf_used is unsigned. Mixing the types together (and the signed int in the memcpy) may warrant further investigation. Cheers, -- Murray McAllister / Red Hat Security Response Team

References:

https://github.com/miniupnp/miniupnp/commit/3a87aa2f10bd7f1408e1849bdb59c41dd63a9fe9
https://bugzilla.redhat.com/show_bug.cgi?id=1085618


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top