Closed Bug 309444 Opened 19 years ago Closed 19 years ago

nsNNTPProtocol::ListXActiveResponse cast error leading to memory disclosure

Categories

(MailNews Core :: Networking, defect)

1.7 Branch
x86
All
defect
Not set
minor

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: jackerror823, Assigned: Bienvenu)

References

()

Details

(Keywords: fixed1.8, Whiteboard: [sg:low])

Attachments

(1 file)

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050907 Firefox/1.0.6 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050907 Firefox/1.0.6 A typo is broking the ListXActiveResponse feature while potentially creating a minor security bug : 4589 if (s) 4590 { 4591 char flags[32]; /* ought to be big enough */ 4592 *s = 0; 4593 PR_sscanf(s + 1, 4594 "%d %d %31s", 4595 &m_firstPossibleArticle, 4596 &m_lastPossibleArticle, 4597 flags); At line 4589 the condition is obviously erroned (and will always be true) and should be - if (s) + if (*s) The write-in-memory at line 4592 is safe (in worst scenario it's overwriting the terminating null byte by a new null byte), but the sscanf at line 4593 isn't : s + 1 could be out of bound of the buffer, potentially disclosing a part of the heap - if it does match the required format -. I believe this bug is very minor and the security impact nearly null, I set the 'sensitive' flag by precaution, feel free to remove it at any time if you think it's the right things to do. Reproducible: Always Steps to Reproduce: I didn't try to reproduce/trigger it. I imagine it's easily doable by returning invalid input (full of ' ' or '\t' to match the NET_IF_SPACE line 4587).
Assignee: general → nobody
Component: General → MailNews: Networking
Product: Mozilla Application Suite → Core
QA Contact: general → grylchan
Version: unspecified → 1.7 Branch
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: sNNTPProtocol::ListXActiveResponse cast error leading to memory disclosure → nsNNTPProtocol::ListXActiveResponse cast error leading to memory disclosure
taking
Assignee: nobody → bienvenu
Attached patch proposed fixSplinter Review
Attachment #196925 - Flags: superreview?(mscott)
Attachment #196925 - Flags: superreview?(mscott)
Attachment #196925 - Flags: superreview+
Attachment #196925 - Flags: approval1.8b5+
Status: NEW → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8
Resolution: --- → FIXED
Flags: blocking1.8b5+
Whiteboard: [sg:low]
Group: security
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: