[TriLUG] Nagios plugin check_http segmentation fault - potential for buffer overflow?
Ian Kilgore
ian at trilug.org
Wed Nov 22 15:09:39 EST 2006
On Wed, Nov 22, 2006 at 03:01:00PM -0500, Ian Kilgore wrote:
> while (j < len - 2) {
I know, I know, I'm replying to myself. I'm sorry. Here is a cookie.
To clarify, len is size_t. When len is <2, this becomes:
while (j < big number depending on platform) {
At the start of base64(), a buffer is allocated. When len is one, that
buffer is
(len + 2) / 3 * 4 + 1 = 5 bytes big. "big number depending on platform"
is more than five :)
Then stuff like this happens inside the loop:
buf[i++] = base64_table[bin[j] >> 2];
'i' does not get smaller, and gets incremented a few times in the body
of the loop, so after a bit, base64() starts to write outside of buf.
So this is a buffer overflow, but I'm not sure if it can be exploited.
Even if it could be exploited, would it really get you anywhere? :)
--
Ian Kilgore
echo "pfxz at pfxz.trw" | tr pzfwxt ikagno
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://www.trilug.org/pipermail/trilug/attachments/20061122/e1b387ea/attachment.pgp>
More information about the TriLUG
mailing list