If the packet is greater than INT_MAX in size, then yes, the integer
would probably overflow and result in a negative size. The patch to the
Nagios CGI handles negative values for the Content-Length, so unless I'm
missing something, we should be okay. Someone please chime in if you
believe otherwise.
sean finney wrote:
> hey ethan (et al),
>
> one of the debian security peeps brought to my attention another
> possible issue with the Content-Length that might not be resolved
> by the current patch. what if someone sends a packet of size
> INT_MAX or greater, causing an integer overflow?
>
> sean
>
> ----- Forwarded message from Sean Finney -----
>
> Date: Thu, 11 May 2006 13:46:27 -0400
> From: Sean Finney
> To: Martin Schulze
> Subject: Re: CVE-2006-2162: Buffer overflow in nagios
>
> hey joey,
>
> On Thu, May 11, 2006 at 05:46:16PM +0200, Martin Schulze wrote:
>>> - crafting a simple "user-agent" that can illustrate the vulnerability
>>> by sending a negative or 0 value for content length to a nagios cgi
>>> (it doesn't have to actually inject any shell code or anything, just
>>> PoC would be fine by me).
>> Why user-agent? "All" you need to do is add some variables, so that
>
> as a general rule i feel much more comfortable having some kind of PoC
> code available that will tell me that my patch works. granted, in this
> case it's a rather straightforward patch, but still...
>
>> the Content-Length is either exactly INT_MAX or even larger, both
>> cause an integer overrun, which cause a negative malloc() which cause
>> a situation in which the attacker may control some memory they shouldn't.
>
> ah yes.. good point about INT_MAX. i'll forward this upstream as well,
> since i don't think ethan considered this.
>
>
> sean
Ethan Galstad,
Nagios Developer
---
Email: [email protected]
Website: http://www.nagios.org
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]