You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
I spotted a bug in http_add_field() (cups/http.c) while fuzzing the HTTP server of CUPS 2.3.0 that causes a NULL pointer dereference in httpGetSubField2().
It firstly add the Authentication-Info field and then calls httpGetSubField2().
In this routine at the beginning there is a for loop that iterates over http->field[field] assuming that it is a valid pointer.
if (!http|| !name|| !value||valuelen<2||field <= HTTP_FIELD_UNKNOWN||field >= HTTP_FIELD_MAX)
return (NULL);
end=value+valuelen-1;
for (fptr=http->fields[field]; *fptr;) // HERE
{
/* * Skip leading whitespace... */
Now looking at http_add_field() you can see that if valuelen is 0 the routine simply set the first byte of http->_fields[field] to 0 and leave http->fields[field] to NULL.
valuelen=strlen(value);
if (!valuelen)
{
http->_fields[field][0] ='\0';
return;
}
So it's clear that with an empty Authentication-Info field we can crash the application when httpGetSubField2() is called.
The crashing testcase from the fuzzer is:
GET http:https://localhost:631/index.html HTTP/1.1
Authentication-Info:
Authentication-Info: 7.0
Best Regards,
Andrea
Edit: I'm on Ubuntu 18.04.2 x86_64
The text was updated successfully, but these errors were encountered:
Hi,
I spotted a bug in
http_add_field()
(cups/http.c) while fuzzing the HTTP server of CUPS 2.3.0 that causes a NULL pointer dereference inhttpGetSubField2()
.Look at this snippet from
_httpUpdate()
:It firstly add the Authentication-Info field and then calls
httpGetSubField2()
.In this routine at the beginning there is a for loop that iterates over
http->field[field]
assuming that it is a valid pointer.Now looking at
http_add_field()
you can see that if valuelen is 0 the routine simply set the first byte ofhttp->_fields[field]
to 0 and leavehttp->fields[field]
to NULL.So it's clear that with an empty Authentication-Info field we can crash the application when
httpGetSubField2()
is called.The crashing testcase from the fuzzer is:
Best Regards,
Andrea
Edit: I'm on Ubuntu 18.04.2 x86_64
The text was updated successfully, but these errors were encountered: