[Aptitude-devel] Quick Question
Joshua Rogers
megamansec at gmail.com
Thu Oct 30 11:23:37 UTC 2014
Hi guys,
I was looking at the Aptitude source code, and came across this in the
src/download_list.cc file, starting from line 313:
> char intbuf[50]; // Waay more than enough.
>
> sprintf(intbuf,
> " [ %sB/%sB ]",
> SizeToStr(serf->CurrentSize).c_str(),
> SizeToStr(serf->TotalSize).c_str());
It is my understanding that 'serf->TotalSize' is determined by the
header values that the webserver sends to the client prior to sending
off the whole file.
Since it uses the header values given by Apache, is it not possible to
spoof those numbers to cause a buffer overflow?
Doing a quick check, the same code is used in src/download_item.cc on
line 99.
SizeToStr goes up to 'YottaBytes', I believe, so if one were to set the
size header of '100000000000000000000000000000000000000000 yottabytes',
they could cause a buffer overflow.
That is 1e+65 bytes.
It probably isn't of concern, but I'd just like to report it incase. I
think it's good practise too.
Since it's not really a serious thing, I won't bother sending this to
the Debian security team.
Thanks,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/aptitude-devel/attachments/20141030/013a7fa3/attachment.sig>
More information about the Aptitude-devel
mailing list