Uploaded image for project: 'Axis2-C'
  1. Axis2-C
  2. AXIS2C-974

Buffer overflow in HTTP Authentication client (with solution)

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 1.2.0, 1.3.0
    • 1.2.0, 1.3.0
    • transport/http
    • None
    • Axis + Visual C++ 6

    Description

      Bug is present in 1.3.0-RC1 announced by Dinesh on 7/2/2008 too.

      In file /src/core/transport/http/sender/http_sender.c, functions axis2_http_sender_configure_http_basic_auth and axis2_http_sender_configure_proxy_basic_auth use sprintf without allocating enough bytes to hold the null string terminator.

      Line 1295, int plen = axutil_strlen (uname) + axutil_strlen (passwd) + 1 is not correct, should be +2.
      Line 1302, elen = axutil_base64_encode_len (plen) is not correct, a +1 should be added.

      Similar fixes should be applied to lines 1423 and 1430.

      Please note that memory allocation for auth_str (using elen + 6) is risky for the future. If "Basic" is substituted with "Digest" the +6 becomes incorrect, causing another buffer overflow.

      Thank you,
      Stefano.

      Attachments

        Activity

          People

            senakafdo Senaka Fernando
            spettini Stefano Pettini
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: