• Kevin Cernekee's avatar
    http: Fix overflow on HTTP request buffers (CVE-2012-6128) · bcc2f7f2
    Kevin Cernekee authored
    A malicious VPN gateway can send a very long hostname/path (for redirects)
    or cookie list (in general), which OpenConnect will attempt to sprintf()
    into a fixed length buffer.  Each HTTP server response line can add
    roughly MAX_BUF_LEN (131072) bytes to the next OpenConnect HTTP request,
    but the request buffer (buf) is capped at MAX_BUF_LEN bytes and is
    allocated on the stack.
    
    The result of passing a long "Location:" header looks like:
    
        Attempting to connect to server 127.0.0.1:443
        SSL negotiation with localhost
        Server certificate verify failed: self signed certificate in certificate chain
        Connected to HTTPS on localhost
        GET https://localhost/
        Got HTTP response: HTTP/1.0 301 Moved
        Ignoring unknown HTTP response line 'aaaaaaaaaaaaaaaaaa'
        SSL negotiation with localhost
        Server certificate verify failed: self signed certificate in certificate chain
        Connected to HTTPS on localhost
        *** buffer overflow detected ***: /scr/openconnect2/.libs/lt-openconnect terminated
        ======= Backtrace: =========
        /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7fd62729b82c]
        /lib/x86_64-linux-gnu/libc.so.6(+0x109700)[0x7fd62729a700]
        /lib/x86_64-linux-gnu/libc.so.6(+0x108b69)[0x7fd627299b69]
        /lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xdd)[0x7fd62720d13d]
        /lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x1ae7)[0x7fd6271db4a7]
        /lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x94)[0x7fd627299c04]
        /lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7fd627299b4d]
        /scr/openconnect2/.libs/libopenconnect.so.2(openconnect_obtain_cookie+0xc0)[0x7fd62832d210]
        /scr/openconnect2/.libs/lt-openconnect[0x40413f]
        /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7fd6271b276d]
        /scr/openconnect2/.libs/lt-openconnect[0x404579]
    
    The proposed fix is to use dynamically allocated buffers with overflow
    checking.
    Signed-off-by: default avatarKevin Cernekee <cernekee@gmail.com>
    Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
    (cherry picked from commit 26f752c3)
    bcc2f7f2
http.c 32.2 KB