From patchwork Mon Apr 24 03:28:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Liangbin Lian X-Patchwork-Id: 1772526 X-Patchwork-Delegate: hauke@hauke-m.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=kcgImaN1; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20221208 header.b=lUikyL5G; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Q4VzJ53dYz23hs for ; Mon, 24 Apr 2023 13:31:24 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=/S0BhlOTAIk8PDruPcShl3hI98KPQ3Z4VPCqyQaQllY=; b=kcgImaN1icjtQ7 jC5nJx9KtFllGuhnN7lD7IRp68f3OuntqZEzD3bYVzDhW1KwRcELFpIrOPNFpEKpjoMNQW4Jb84bs iF7BELBbKbvN1dJM/DCuoN4Zlip+2/q38vS1Ipr/lEAsFY9wdUbm2yMHWl6WNwQzh9/nPsGmssPsf 5EDmGwQ0CHa6/2MmKEu81oI5lQSZF75v/iVanYCq99IFpgFOi8+NgV5GKnhm2HWpjqjWDQYx7o/FA 1fBr8pRf/mqrNYbiVdaz+NuCfhUENyFKU0furV3oLh74MNkZTqMz8dbUfRzlEmTUJvvXK30hAI964 py49R8a9UD7TF+TYuDUQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1pqmti-00FCcf-0t; Mon, 24 Apr 2023 03:29:50 +0000 Received: from mail-pl1-x62a.google.com ([2607:f8b0:4864:20::62a]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1pqmtf-00FCc5-0Q for openwrt-devel@lists.openwrt.org; Mon, 24 Apr 2023 03:29:48 +0000 Received: by mail-pl1-x62a.google.com with SMTP id d9443c01a7336-1a516fb6523so44797835ad.3 for ; Sun, 23 Apr 2023 20:29:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1682306985; x=1684898985; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=TWObbsFAtsjtS3NeD2CtRJmqmj/DMFF2HEf9pSLZJIM=; b=lUikyL5GhJ+Xo+BlaKGPJKEYtLkX/SJ7ZXXkydRndDuXmN6auWkbREumqbwkqQqXeU z5rsb1ZqrJV4KYWarY56gTPRVO1XiYifsmDBPFOIv8eiXOgndHlUVLIJ8vPqD4RipAH+ Tot+i8lVLEjvldgNvmsL/ePHdZu4bbDLZq3mwhrT8VNISfCoApugdECYqKT7G+fXj2L6 6VXv2I0yq0Zk0/qpyk8MyGisjCXidKEgTUMcOnCRypwrra8Klg3l/tIijR3pflx9Xr4U YM3ZPrvx3GToYLe0/v2cbYzuwyTU58iOezqLDZ32WeVP+S43/VB0K++TMRxcu46zpvgF xy4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682306985; x=1684898985; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=TWObbsFAtsjtS3NeD2CtRJmqmj/DMFF2HEf9pSLZJIM=; b=M1XsztOnJRk0Gk4xZGSTZ7ORp/gG5O2HT7qWUN9kIS3skQrRIfO/Y/0EfjBkuVDVly hI4VEbRTSaTOpi/H9uqb4ZrNl4jIT8LTfH/b2yZ3VIuLy8bykr+vqHj8K2LuqZim1OvK J2W1l+Wvx0B4/vIzDku223Z3CWv8Dg9sz0ZjMHG8e1MrL/NXrfAR2GDydggiurXISo9A mtRpMPqrEWHEzLr1Gd/cOWrLpCHHgFBEYBZKxUaC9f55HPOlgT03W0DTc5zuEIlSdmvH eJSS+Utd9LKED8s2rsQ0UmV9GMIhy+6ng5KPUczjFe5jjCZ3/I885f4GLih56NCdE3x6 uNBA== X-Gm-Message-State: AAQBX9froR5KTH49i3Sc6flZjptZNcSSK9pk+/AGxZ+URgEsDUH1iIQH sIMQWMa0BJWbNS9XUHGTb01igTvn108J8JpU X-Google-Smtp-Source: AKy350a/FZrXbqBExVpbjX58Gou0MqDWneP46Hm7aQARIUgYChgtW3lW0NhymiP5mVAxyHf1m+jHiA== X-Received: by 2002:a17:902:ebcb:b0:1a5:3319:12f7 with SMTP id p11-20020a170902ebcb00b001a5331912f7mr14561169plg.50.1682306984916; Sun, 23 Apr 2023 20:29:44 -0700 (PDT) Received: from macbook-pro.lan ([119.123.60.73]) by smtp.gmail.com with ESMTPSA id o4-20020a170902778400b001a2135e7eabsm5635743pll.16.2023.04.23.20.29.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Apr 2023 20:29:44 -0700 (PDT) From: Liangbin Lian To: openwrt-devel@lists.openwrt.org Cc: Liangbin Lian Subject: [PATCH] uhttpd/file: fix string out of buffer range on uh_defer_script Date: Mon, 24 Apr 2023 11:28:19 +0800 Message-Id: <20230424032818.98903-1-jjm2473@gmail.com> X-Mailer: git-send-email 2.37.1 (Apple Git-137.1) MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230423_202947_171519_B94CB276 X-CRM114-Status: GOOD ( 12.64 ) X-Spam-Score: 0.1 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: if a url path length is multiple of 4, tailing zero will be trimed out on uh_defer_script, cause a strangle error. it's simple to reproduce. 1. create a luci controller, register a entry with path length multiple of 4 (including '/cgi-bin/'), for example, '/cgi-bin/luci/admin/system/admin'. 2. set uhttpd max_requests to 1, and restart uhtt [...] Content analysis details: (0.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:62a listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [jjm2473[at]gmail.com] 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit [jjm2473[at]gmail.com] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org if a url path length is multiple of 4, tailing zero will be trimed out on uh_defer_script, cause a strangle error. it's simple to reproduce. 1. create a luci controller, register a entry with path length multiple of 4 (including '/cgi-bin/'), for example, '/cgi-bin/luci/admin/system/admin'. 2. set uhttpd max_requests to 1, and restart uhttpd 3. request '/cgi-bin/luci/admin/system/admin' with at least 2 process 4. some responses will produce a error: ``` Unable to launch the requested CGI program: /www/cgi-bin/luci: No such file or directory ``` Signed-off-by: Liangbin Lian --- file.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/file.c b/file.c index ac781c1..d117387 100644 --- a/file.c +++ b/file.c @@ -797,7 +797,7 @@ uh_defer_script(struct client *cl, struct dispatch_handler *d, char *url, struct /* allocate enough memory to duplicate all path_info strings in one block */ #undef _field #define _field(_name) &_##_name, field_len(pi->_name), - dr = calloc_a(sizeof(*dr), &_url, strlen(url), path_info_fields NULL); + dr = calloc_a(sizeof(*dr), &_url, strlen(url) + 1, path_info_fields NULL); memcpy(&dr->pi, pi, sizeof(*pi)); dr->path = true; @@ -807,7 +807,7 @@ uh_defer_script(struct client *cl, struct dispatch_handler *d, char *url, struct #define _field(_name) if (pi->_name) dr->pi._name = strcpy(_##_name, pi->_name); path_info_fields } else { - dr = calloc_a(sizeof(*dr), &_url, strlen(url), NULL); + dr = calloc_a(sizeof(*dr), &_url, strlen(url) + 1, NULL); } cl->dispatch.req_data = dr;