Closed Bug 362213 Opened 18 years ago Closed 17 years ago

heap overflow in MimeExternalBody_parse_eof

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: guninski, Assigned: Bienvenu)

Details

(Keywords: fixed1.8.0.9, fixed1.8.1.1, Whiteboard: [sg:critical])

Attachments

(2 files, 1 obsolete file)

overflow
1.78 KB, text/plain
Details
proposed fix
920 bytes, patch
mscott
: superreview+
mscott
: approval-thunderbird2+
dveditz
: approval1.8.0.9+
Details | Diff | Splinter Review
heap overflow in MimeExternalBody_parse_eof MimeExternalBody_parse_eof: h = (char *) PR_MALLOC((at ? strlen(at) : 0) + ... doesn't allocate space for |ct| and FROB("Type", ct); overflows. in addition in |(url ? strlen(url) : 0) + 100);| the constant |100| seems small and may be overflowed even if allocating |ct|. overflowing mailbox to follow.
Attached file overflow
Severity: normal → major
Flags: wanted1.8.0.x?
Flags: blocking1.8.1.1?
Flags: blocking-thunderbird2?
geez, I love libmime. That code is crying out for rewriting with nsCStrings...Dan, I can look at this if you want.
Assignee: dveditz → bienvenu
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x?
Flags: wanted1.8.0.x+
Flags: blocking1.8.0.9?
Whiteboard: [sg:critical]
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+
Attached patch proposed fixSplinter Review
just add ct to the size calculation - I think all other fields are accounted for.
Attachment #246962 - Flags: superreview?(mscott)
Whiteboard: [sg:critical] → [sg:critical] needs reviews (mscott)
Attachment #246962 - Flags: superreview?(mscott)
Attachment #246962 - Flags: superreview+
Attachment #246962 - Flags: approval-thunderbird2+
Comment on attachment 246962 [details] [diff] [review] proposed fix simple fix.
Attachment #246962 - Flags: approval1.8.0.9?
fixed on trunk and 1.8.1 branch
Status: NEW → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.1.1
Resolution: --- → FIXED
Whiteboard: [sg:critical] needs reviews (mscott) → [sg:critical]
Comment on attachment 246962 [details] [diff] [review] proposed fix approved for 1.8.0 branch, a=dveditz
Attachment #246962 - Flags: approval1.8.0.9? → approval1.8.0.9+
Keywords: fixed1.8.0.9
(In reply to comment #1) (In reply to comment #0) > the constant |100| seems small this comment is dumb, but the logic of adding |strlen()| is strange. shouldn't it be MAX(strlen()) instead of + strlen?
all the strings get concatenated together, so we have to add all the strlens... you're right that 100 is too small - it needs to be ~76 (the total length of the header strings) + (4 * 12) (the per header overhead times the number of possible headers). That would handle the case where all the headers are present...So 150 would be a safe number...
address G30rgi's comment about 100 seeming too small, sorry I missed that before...
Attachment #247417 - Flags: superreview?(mscott)
Attachment #247417 - Flags: review?(dveditz)
I'm reopening this, unless we want a new bug for the issue the first patch didn't address.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attachment #247417 - Flags: superreview?(mscott) → superreview+
(In reply to comment #9) > all the strings get concatenated together, so we have to add all the strlens... > are you sure about this? tried to exploit it with no luck. 373 # define FROB(STR,VAR) \ 374 if (VAR) \ 375 { \ 376 PL_strcpy(h, STR ": "); \ 377 PL_strcat(h, VAR); \ 378 PL_strcat(h, MSG_LINEBREAK); \ 379 status = MimeHeaders_parse_line(h, strlen(h), hdrs); \ 380 if (status < 0) goto FAIL; \ 381 } PL_strcpy starts from the begging of |h| ?
no, I think you're right - re-resolving as fixed. So I have no idea why they're adding together all the strlens...
Status: REOPENED → RESOLVED
Closed: 18 years ago18 years ago
Resolution: --- → FIXED
Attachment #247417 - Attachment is obsolete: true
Attachment #247417 - Flags: review?(dveditz)
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
clearing blocking flag on a fix already landed on the branch.
Flags: blocking-thunderbird2?
Group: security
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Status: REOPENED → RESOLVED
Closed: 18 years ago17 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: