oss-security - CVE Request - OpenSLP 2.0 Memory Corruption

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-ID: <CAH4rwTLQx21iUP5HSxwCRVRdOYMHjDH9roxhgWjJghHujr9toA@mail.gmail.com>
Date: Tue, 27 Sep 2016 17:29:42 +0530
From: Reno Robert <renorobert@...il.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE Request - OpenSLP 2.0 Memory Corruption

Hi,

The following commit fixes a memory corruption bug that I reported in OpenSLP:

https://sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a/

Below are the details of the issue:

static int SLPFoldWhiteSpace(size_t len, char * str)
{
      char * p = str, * ep = str + len;
      while (p < ep)
      {
            if (isspace(*p))
            {
                char * ws2p = ++p;
                while (isspace(*p))
                     p++;
                len -= p - ws2p;
                memmove(ws2p, p, ep - p);

The outer while loop checks for p < ep, but lack of bound check in
inner while loop could result in p > ep. This will result in passing a
very large 'size_t len' (ep - p) parameter for memmove().

Could you assign a CVE for this?

-- 
Regards,
Reno Robert
http://v0ids3curity.blogspot.in/

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.