[xml/sgml-pkgs] Bug#464173: libxml2: xmlNanoHTTPMethod receive a SIGSEGV connecting to a port != 80

Antonio Messina amessina at ictp.it
Tue Feb 5 16:20:22 UTC 2008 

Package: libxml2
Version: 2.6.31.dfsg-1
Severity: important


If you try to use xmlNanoHTTPMethod with an url containing a port
different than 80 a buffer overflow can cause a SIGSEGV. I found the
bug using the nd utility to connect to a local zope server. 

Building both nd and libxml2 without optimization, with debug symbols
and linking with efence, the gdb backtrace is:

    Program received signal SIGSEGV, Segmentation fault.
    [Switching to Thread 0xb7c006b0 (LWP 8415)]
    0xb7cbab91 in vsnprintf () from /lib/libc.so.6
    (gdb) bt
    #0  0xb7cbab91 in vsnprintf () from /lib/libc.so.6
    #1  0xb7c9f2d5 in snprintf () from /lib/libc.so.6
    #2  0xb7e4f065 in xmlNanoHTTPMethodRedir__internal_alias (URL=0xbf84e886 "http://localhost:1980/a/test-1",    method=0x804e564 "GET", input=0x0, contentType=0xbf84c1a8,redir=0x0,headers=0x0, ilen=0) at nanohttp.c:1388
    #3  0xb7e4f75c in xmlNanoHTTPMethod__internal_alias (URL=0xbf84e886 "http://localhost:1980/a/test-1",    method=0x804e564 "GET", input=0x0, contentType=0xbf84c1a8,headers=0x0,ilen=0) at nanohttp.c:1519
    #4  0x08049dad in ndHTTPMethod (URL=0xbf84e886 "http://localhost:1980/a/test-1", auth=0xb7b01ff0,    method=0x804e564 "GET", input=0x0, contentType=0xbf84c1a8,headers=0x0,ilen=0) at nd.c:383
    #5  0x0804bd93 in ndGetPrint (url=0xbf84e886 "http://localhost:1980/a/test-1",auth=0xb7b01ff0, ct_return=0xbf84c604,    outfp=0xb7da14e0) at nd.c:1469
    #6  0x0804d709 in main (argc=2, argv=0xbf84c754) at main.c:385
    
The bug is in nanohttp.c, lines 1367-1374:

   1367      if (ctxt->port == 80) {
   1368          p += snprintf( p, blen - (p - bp), " HTTP/1.0\r\nHost: %s\r\n",
   1369                      ctxt->hostname);
   1370      } else {
   1371          p += snprintf( p, blen - (p - bp), " HTTP/1.0\r\nHost: %s:%d\r\n",
   1372                      ctxt->hostname, ctxt->port);
   1373      }

the bp buffer is not large enough to store also the ":%d" fmt for the
port specification (in the "else" block). You should probably change
the line

   1338      blen += strlen(method) + strlen(ctxt->path) + 24;

with something like:

   blen += strlen(method) + strlen(ctxt->path) + 30;

or check the number of digits needed to store also the port number, or
whatever...

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (600, 'testing'), (500, 'stable'), (300, 'unstable'), (200, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.22.9-mactel (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.utf-8, LC_CTYPE=en_US.utf-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libxml2 depends on:
ii  libc6                  2.7-6             GNU C Library: Shared libraries
ii  zlib1g                 1:1.2.3.3.dfsg-11 compression library - runtime

Versions of packages libxml2 recommends:
ii  xml-core                      0.11       XML infrastructure and XML catalog

-- no debconf information

More information about the debian-xml-sgml-pkgs mailing list