Closed Bug 309444 Opened 19 years ago Closed 19 years ago

nsNNTPProtocol::ListXActiveResponse cast error leading to memory disclosure

Categories

(MailNews Core :: Networking, defect)

Product:
MailNews Core
Component:
Networking
Version:
1.7 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jackerror823, Assigned: Bienvenu)

References

(
URL
)

Details

(Keywords: fixed1.8, Whiteboard: [sg:low])

Attachments

(1 file)

proposed fix
1.48 KB, patch
mscott
: superreview+
mscott
: approval1.8b5+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050907 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050907 Firefox/1.0.6

A typo is broking the ListXActiveResponse feature while potentially creating a
minor security bug :

4589       if (s)
4590       {
4591         char flags[32]; /* ought to be big enough */
4592         *s = 0;
4593         PR_sscanf(s + 1,
4594           "%d %d %31s", 
4595           &m_firstPossibleArticle, 
4596           &m_lastPossibleArticle,
4597           flags);

At line 4589 the condition is obviously erroned (and will always be true) and
should be

- if (s)
+ if (*s)

The write-in-memory at line 4592 is safe (in worst scenario it's overwriting the
terminating null byte by a new null byte), but the sscanf at line 4593 isn't : s
+ 1 could be out of bound of the buffer, potentially disclosing a part of the
heap - if it does match the required format -.

I believe this bug is very minor and the security impact nearly null, I set the
'sensitive' flag by precaution, feel free to remove it at any time if you think
it's the right things to do.

Reproducible: Always

Steps to Reproduce:
I didn't try to reproduce/trigger it. I imagine it's easily doable by returning
invalid input (full of ' ' or '\t' to match the NET_IF_SPACE line 4587).
Assignee: general → nobody
Component: General → MailNews: Networking
Product: Mozilla Application Suite → Core
QA Contact: general → grylchan
Version: unspecified → 1.7 Branch
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: sNNTPProtocol::ListXActiveResponse cast error leading to memory disclosure → nsNNTPProtocol::ListXActiveResponse cast error leading to memory disclosure
taking
Assignee: nobody → bienvenu
Attached patch proposed fix β€” β€” Splinter Review 

  

  



        Attachment #196925 -
        Flags: superreview?(mscott)

    
  

        Attachment #196925 -
        Flags: superreview?(mscott)

        Attachment #196925 -
        Flags: superreview+

        Attachment #196925 -
        Flags: approval1.8b5+

    
  
Status: NEW → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8
Resolution: --- → FIXED
Flags: blocking1.8b5+
Whiteboard: [sg:low]
Group: security
Product: Core → MailNews Core

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: