[hackers] [quark] basecgi: constant-dependent buffer overflow

From: Guy Sviry <sviryguy_AT_gmail.com>
Date: Fri, 7 Feb 2020 20:16:03 +0200

The basecgi patch has this particular line:

+ /* all other data will be later passed to script */
+ sprintf(r->cgicont, "%s", p);

cgicont is declared as:

char cgicont[PATH_MAX];

which is 4096 on my machine.

fortunately, max p derives from HEADER_MAX, which is 4096

If you patch the header size const to be larger then 4096, then
sprintf will overflow.

I will send a patch to fix that soon, but for now, i guess using
`snprintf` will do the trick.
Received on Fri Feb 07 2020 - 19:16:03 CET

This archive was generated by hypermail 2.3.0 : Fri Feb 07 2020 - 19:24:17 CET