This is the mail archive of the ecos-bugs@sourceware.org mailing list for the eCos project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug 1000376] ATHTTPD security Authorization parse can overrun memory


https://bugzilla.ecoscentric.com/show_bug.cgi?id=1000376





------- Additional Comments From atonizzo@gmail.com  2007-06-12 16:28 -------
Under which condition can the parsing lead to overwrite all the
memory? I will stop when a '\r', a '\n' or a ' ' is found. Isn't it
correct to assume that one of those three characters will always
terminate the argument to the "Basic" header?

I do see the problem mentioned a bit later, that proposes to limit
the maximum length of the parsing inside cyg_httpd_digest_data.
Certainly it is a good idea to reuse the existing code, but this also
brings up another problem which I did not think about before: In the
"Basic" authentication the cyg_httpd_md5_digest string is used as 
storage for the login/password duo. If login/password are very long, 
their base64 encoded length can exceed 32 bytes and thus overwrite 
the cyg_httpd_md5_digest length. Regardless of the size of the buffer
used, an attacker can arguably always provide long enough logins and 
passwords to fill the buffer. Should we decree that the total, encoded
length of the login/password string can never be more than 32
characters, and if it is we discard the rest and issue an error?


-- 
Configure bugmail: https://bugzilla.ecoscentric.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]