Closed Bug 362213 Opened 18 years ago Closed 16 years ago

heap overflow in MimeExternalBody_parse_eof

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: guninski, Assigned: Bienvenu)

Details

(Keywords: fixed1.8.0.9, fixed1.8.1.1, Whiteboard: [sg:critical])

Attachments

(2 files, 1 obsolete file)

overflow
1.78 KB, text/plain
Details
proposed fix
920 bytes, patch
mscott
: superreview+
mscott
: approval-thunderbird2+
dveditz
: approval1.8.0.9+
Details | Diff | Splinter Review 
heap overflow in MimeExternalBody_parse_eof

MimeExternalBody_parse_eof:
	  h = (char *) PR_MALLOC((at ? strlen(at) : 0) + ...
doesn't allocate space for |ct| and    
FROB("Type",			ct);
overflows.

in addition in 	|(url ? strlen(url) : 0) + 100);| the constant |100| seems
small and may be overflowed even if allocating |ct|.

overflowing mailbox to follow.
Attached file overflow 
Severity: normal → major
Flags: wanted1.8.0.x?
Flags: blocking1.8.1.1?
Flags: blocking-thunderbird2?

    
    

    
  
geez, I love libmime. That code is crying out for rewriting with nsCStrings...Dan, I can look at this if you want.
Assignee: dveditz → bienvenu
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x?
Flags: wanted1.8.0.x+
Flags: blocking1.8.0.9?
Whiteboard: [sg:critical]
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        proposed fixSplinter Review
      

    


  
just add ct to the size calculation - I think all other fields are accounted for.

        Attachment #246962 -
        Flags: superreview?(mscott)
Whiteboard: [sg:critical] → [sg:critical] needs reviews (mscott)

    
  

        Attachment #246962 -
        Flags: superreview?(mscott)

        Attachment #246962 -
        Flags: superreview+

        Attachment #246962 -
        Flags: approval-thunderbird2+

    
    

    
  
Comment on attachment 246962 [details] [diff] [review]
proposed fix

simple fix.

        Attachment #246962 -
        Flags: approval1.8.0.9?

    
    

    
  
fixed on trunk and 1.8.1 branch
Status: NEW → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.1.1
Resolution: --- → FIXED
Whiteboard: [sg:critical] needs reviews (mscott) → [sg:critical]

    
    

    
  
Comment on attachment 246962 [details] [diff] [review]
proposed fix

approved for 1.8.0 branch, a=dveditz

        Attachment #246962 -
        Flags: approval1.8.0.9? → approval1.8.0.9+

    
  
Keywords: fixed1.8.0.9

    
    

    
  
(In reply to comment #1)


(In reply to comment #0)
> the constant |100| seems small

this comment is dumb, but the logic of adding |strlen()| is strange. shouldn't it be MAX(strlen()) instead of + strlen?



    
    

    
  
all the strings get concatenated together, so we have to add all the strlens...

you're right that 100 is too small - it needs to be ~76 (the total length of the header strings) + (4 * 12) (the per header overhead times the number of possible headers). That would handle the case where all the headers are present...So 150 would be a safe number...

    
    

    
  


  
address G30rgi's comment about 100 seeming too small, sorry I missed that before...

        Attachment #247417 -
        Flags: superreview?(mscott)

        Attachment #247417 -
        Flags: review?(dveditz)

    
    

    
  
I'm reopening this, unless we want a new bug for the issue the first patch didn't address.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
  

        Attachment #247417 -
        Flags: superreview?(mscott) → superreview+

    
    

    
  
(In reply to comment #9)
> all the strings get concatenated together, so we have to add all the strlens...
> 

are you sure about this?

tried to exploit it with no luck.

373 # define FROB(STR,VAR) \
374       if (VAR) \
375         { \
376           PL_strcpy(h, STR ": "); \
377           PL_strcat(h, VAR); \
378           PL_strcat(h, MSG_LINEBREAK); \
379           status = MimeHeaders_parse_line(h, strlen(h), hdrs); \
380           if (status < 0) goto FAIL; \
381         }

PL_strcpy starts from the begging of |h| ?




    
    

    
  
no, I think you're right - re-resolving as fixed. So I have no idea why they're adding together all the strlens...
Status: REOPENED → RESOLVED
Closed: 18 years ago18 years ago
Resolution: --- → FIXED

    
  

        Attachment #247417 -
        Attachment is obsolete: true

        Attachment #247417 -
        Flags: review?(dveditz)
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+

    
    

    
  
clearing blocking flag on a fix already landed on the branch.
Flags: blocking-thunderbird2?
Group: security
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Status: REOPENED → RESOLVED
Closed: 18 years ago16 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: