Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
http: Fix overflow on HTTP request buffers
A malicious VPN gateway can send a very long hostname/path (for redirects) or cookie list (in general), which OpenConnect will attempt to sprintf() into a fixed length buffer. Each HTTP server response line can add roughly MAX_BUF_LEN (131072) bytes to the next OpenConnect HTTP request, but the request buffer (buf) is capped at MAX_BUF_LEN bytes and is allocated on the stack. The result of passing a long "Location:" header looks like: Attempting to connect to server 127.0.0.1:443 SSL negotiation with localhost Server certificate verify failed: self signed certificate in certificate chain Connected to HTTPS on localhost GET https://localhost/ Got HTTP response: HTTP/1.0 301 Moved Ignoring unknown HTTP response line 'aaaaaaaaaaaaaaaaaa' SSL negotiation with localhost Server certificate verify failed: self signed certificate in certificate chain Connected to HTTPS on localhost *** buffer overflow detected ***: /scr/openconnect2/.libs/lt-openconnect terminated ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7fd62729b82c] /lib/x86_64-linux-gnu/libc.so.6(+0x109700)[0x7fd62729a700] /lib/x86_64-linux-gnu/libc.so.6(+0x108b69)[0x7fd627299b69] /lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xdd)[0x7fd62720d13d] /lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x1ae7)[0x7fd6271db4a7] /lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x94)[0x7fd627299c04] /lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7fd627299b4d] /scr/openconnect2/.libs/libopenconnect.so.2(openconnect_obtain_cookie+0xc0)[0x7fd62832d210] /scr/openconnect2/.libs/lt-openconnect[0x40413f] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7fd6271b276d] /scr/openconnect2/.libs/lt-openconnect[0x404579] The proposed fix is to use dynamically allocated buffers with overflow checking. Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
- Loading branch information
Showing
1 changed file
with
130 additions
and
34 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters