fix potential UAF in header handling (CVE-2023-49606)
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889 this bug was brought to my attention today by the debian tinyproxy package maintainer. the above link states that the issue was known since last year and that maintainers have been contacted, but if that is even true then it probably was done via a private email to a potentially outdated email address of one of the maintainers, not through the channels described clearly on the tinyproxy homepage: > Feel free to report a new bug or suggest features via github issues. > Tinyproxy developers hang out in #tinyproxy on irc.libera.chat. no github issue was filed, and nobody mentioned a vulnerability on the mentioned IRC chat. if the issue had been reported on github or IRC, the bug would have been fixed within a day.
This commit is contained in:
parent
92289d5a4c
commit
12a8484265
@ -779,7 +779,7 @@ static int remove_connection_headers (orderedmap hashofheaders)
|
|||||||
char *data;
|
char *data;
|
||||||
char *ptr;
|
char *ptr;
|
||||||
ssize_t len;
|
ssize_t len;
|
||||||
int i;
|
int i,j,df;
|
||||||
|
|
||||||
for (i = 0; i != (sizeof (headers) / sizeof (char *)); ++i) {
|
for (i = 0; i != (sizeof (headers) / sizeof (char *)); ++i) {
|
||||||
/* Look for the connection header. If it's not found, return. */
|
/* Look for the connection header. If it's not found, return. */
|
||||||
@ -804,7 +804,12 @@ static int remove_connection_headers (orderedmap hashofheaders)
|
|||||||
*/
|
*/
|
||||||
ptr = data;
|
ptr = data;
|
||||||
while (ptr < data + len) {
|
while (ptr < data + len) {
|
||||||
orderedmap_remove (hashofheaders, ptr);
|
df = 0;
|
||||||
|
/* check that ptr isn't one of headers to prevent
|
||||||
|
double-free (CVE-2023-49606) */
|
||||||
|
for (j = 0; j != (sizeof (headers) / sizeof (char *)); ++j)
|
||||||
|
if(!strcasecmp(ptr, headers[j])) df = 1;
|
||||||
|
if (!df) orderedmap_remove (hashofheaders, ptr);
|
||||||
|
|
||||||
/* Advance ptr to the next token */
|
/* Advance ptr to the next token */
|
||||||
ptr += strlen (ptr) + 1;
|
ptr += strlen (ptr) + 1;
|
||||||
|
Loading…
Reference in New Issue
Block a user