Bug 520384 – xmlNanoHTTPMethod receive a SIGSEGV connecting to a port != 80

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 520384 - xmlNanoHTTPMethod receive a SIGSEGV connecting to a port != 80


Summary:	xmlNanoHTTPMethod receive a SIGSEGV connecting to a port != 80


Status:	RESOLVED DUPLICATE of bug 514521

Product:	libxml2
Classification:	Platform
Component:	general
Version:	2.6.31
Hardware:	Other All

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Daniel Veillard
QA Contact:	libxml QA maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2008-03-04 21:42 UTC by Mike Hommey
Modified:	2008-03-05 08:19 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Mike Hommey 2008-03-04 21:42:21 UTC

(Filed on Debian BTS by Antonio Messina <amessina@ictp.it>)
( http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464173 )

If you try to use xmlNanoHTTPMethod with an url containing a port
different than 80 a buffer overflow can cause a SIGSEGV. I found the
bug using the nd utility to connect to a local zope server. 

Building both nd and libxml2 without optimization, with debug symbols
and linking with efence, the gdb backtrace is:

    Program received signal SIGSEGV, Segmentation fault.
    [Switching to Thread 0xb7c006b0 (LWP 8415)]
    0xb7cbab91 in vsnprintf () from /lib/libc.so.6
    (gdb) bt
    #0  0xb7cbab91 in vsnprintf () from /lib/libc.so.6
    #1  0xb7c9f2d5 in snprintf () from /lib/libc.so.6
    #2  0xb7e4f065 in xmlNanoHTTPMethodRedir__internal_alias (URL=0xbf84e886 "http://localhost:1980/a/test-1",    method=0x804e564 "GET", input=0x0, contentType=0xbf84c1a8,redir=0x0,headers=0x0, ilen=0) at nanohttp.c:1388
    #3  0xb7e4f75c in xmlNanoHTTPMethod__internal_alias (URL=0xbf84e886 "http://localhost:1980/a/test-1",    method=0x804e564 "GET", input=0x0, contentType=0xbf84c1a8,headers=0x0,ilen=0) at nanohttp.c:1519
    #4  0x08049dad in ndHTTPMethod (URL=0xbf84e886 "http://localhost:1980/a/test-1", auth=0xb7b01ff0,    method=0x804e564 "GET", input=0x0, contentType=0xbf84c1a8,headers=0x0,ilen=0) at nd.c:383
    #5  0x0804bd93 in ndGetPrint (url=0xbf84e886 "http://localhost:1980/a/test-1",auth=0xb7b01ff0, ct_return=0xbf84c604,    outfp=0xb7da14e0) at nd.c:1469
    #6  0x0804d709 in main (argc=2, argv=0xbf84c754) at main.c:385
    
The bug is in nanohttp.c, lines 1367-1374:

   1367      if (ctxt->port == 80) {
   1368          p += snprintf( p, blen - (p - bp), " HTTP/1.0\r\nHost: %s\r\n",
   1369                      ctxt->hostname);
   1370      } else {
   1371          p += snprintf( p, blen - (p - bp), " HTTP/1.0\r\nHost: %s:%d\r\n",
   1372                      ctxt->hostname, ctxt->port);
   1373      }

the bp buffer is not large enough to store also the ":%d" fmt for the
port specification (in the "else" block). You should probably change
the line

   1338      blen += strlen(method) + strlen(ctxt->path) + 24;

with something like:

   blen += strlen(method) + strlen(ctxt->path) + 30;

or check the number of digits needed to store also the port number, or
whatever...

Comment 1 William M. Brack 2008-03-05 08:19:33 UTC


*** This bug has been marked as a duplicate of 514521 ***