Closed
Bug 309444
Opened 19 years ago
Closed 19 years ago
nsNNTPProtocol::ListXActiveResponse cast error leading to memory disclosure
Categories
(MailNews Core :: Networking, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jackerror823, Assigned: Bienvenu)
References
()
Details
(Keywords: fixed1.8, Whiteboard: [sg:low])
Attachments
(1 file)
1.48 KB,
patch
|
mscott
:
superreview+
mscott
:
approval1.8b5+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050907 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050907 Firefox/1.0.6
A typo is broking the ListXActiveResponse feature while potentially creating a
minor security bug :
4589 if (s)
4590 {
4591 char flags[32]; /* ought to be big enough */
4592 *s = 0;
4593 PR_sscanf(s + 1,
4594 "%d %d %31s",
4595 &m_firstPossibleArticle,
4596 &m_lastPossibleArticle,
4597 flags);
At line 4589 the condition is obviously erroned (and will always be true) and
should be
- if (s)
+ if (*s)
The write-in-memory at line 4592 is safe (in worst scenario it's overwriting the
terminating null byte by a new null byte), but the sscanf at line 4593 isn't : s
+ 1 could be out of bound of the buffer, potentially disclosing a part of the
heap - if it does match the required format -.
I believe this bug is very minor and the security impact nearly null, I set the
'sensitive' flag by precaution, feel free to remove it at any time if you think
it's the right things to do.
Reproducible: Always
Steps to Reproduce:
I didn't try to reproduce/trigger it. I imagine it's easily doable by returning
invalid input (full of ' ' or '\t' to match the NET_IF_SPACE line 4587).
Assignee: general → nobody
Component: General → MailNews: Networking
Product: Mozilla Application Suite → Core
QA Contact: general → grylchan
Version: unspecified → 1.7 Branch
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: sNNTPProtocol::ListXActiveResponse cast error leading to memory disclosure → nsNNTPProtocol::ListXActiveResponse cast error leading to memory disclosure
Assignee | ||
Comment 2•19 years ago
|
||
Attachment #196925 -
Flags: superreview?(mscott)
Updated•19 years ago
|
Attachment #196925 -
Flags: superreview?(mscott)
Attachment #196925 -
Flags: superreview+
Attachment #196925 -
Flags: approval1.8b5+
Assignee | ||
Updated•19 years ago
|
Updated•19 years ago
|
Flags: blocking1.8b5+
Updated•19 years ago
|
Whiteboard: [sg:low]
Updated•19 years ago
|
Group: security
Updated•17 years ago
|
Product: Core → MailNews Core
You need to log in
before you can comment on or make changes to this bug.
Description
•