Segmentation fault caused by SecHash buffer overflow on windows 2012 R2 #1354
Assignees
Comments
|
Fixed ;) Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue : Buffer overflow issue caused segmentation fault while running regression test on windows 2012 R2. This is genuine issue irrespective of platform.
stack looks as below
__report_gsfailure(unsigned __int64 StackCookie) Line
hmac(modsec_rec * msr, const char * key, int key_len, unsigned char * msg, int msglen) Line 236 C
do_hash_link(modsec_rec * msr, char * link, int type)
msre_op_validateHash_execute(modsec_rec * msr, msre_rule * rule, msre_var * var, char * * error_msg)
execute_operator(msre_var * var, msre_rule * rule, modsec_rec * msr, msre_actionset * acting_actionset, apr_pool_t * mptmp)
Cause : The issue is due to buffer overflow of msc_crypt.c # hmac() function.
char *hmac(modsec_rec *msr, const char *key, int key_len, unsigned char *msg, int msglen) {
..........................
..........................
char hex_digest[APR_SHA1_DIGESTSIZE * 2]
hmac_digest = hex_digest;
for (i = 0; i < sizeof (digest); i++) {
*hmac_digest++ = hex[digest[i] >> 4];
*hmac_digest++ = hex[digest[i] & 0xF];
}
*hmac_digest = '\0';
...........................
...........................
}
There is no memory to copy '\0' in hex_digest. Due to that apr_pstrdup () raises segmentation fault .
Fix : To fix the issue, hex_digest buffer should be increased to hex_digest[APR_SHA1_DIGESTSIZE * 2 + 1] to accommodate '\0'
Patch :
--- a/apache2/msc_crypt.c
+++ b/apache2/msc_crypt.c
- char hex_digest[APR_SHA1_DIGESTSIZE * 2], *hmac_digest;+ char hex_digest[APR_SHA1_DIGESTSIZE * 2 + 1], *hmac_digest;The text was updated successfully, but these errors were encountered: