Darren Thurston wrote:
> 
> #!/usr/bin/perl
> # estranged.pl
> # AKA
> # Polipo 1.0.4 Remote Memory Corruption 0day PoC

Cute.

> $payload = "GET / HTTP/1.1\r\nContent-Length: 2147483602\r\n\r\n";
> 

The proof of concept works as advertised. Wheee.

Here's a simple patch (that probably breaks some requests and is
imperfect) to stop the proof of concept while we wait on upstream to
provide a real fix for it:

--- polipo-1.0.4/client.c       2008-01-08 14:56:45.000000000 +0200
+++ polipo-1.0.4-fixed/client.c 2009-12-09 15:30:53.000000000 +0200
@@ -998,7 +998,7 @@
         return 1;
     }

-    if(connection->reqlen > connection->reqbegin) {
+    if(connection->reqlen > connection->reqbegin && (connection->reqlen
- connection->reqbegin ) > 0 ) {
         memmove(connection->reqbuf, connection->reqbuf +
connection->reqbegin,
                 connection->reqlen - connection->reqbegin);
         connection->reqlen -= connection->reqbegin;

Using memmove like that is extremely unsafe. :-(

Best,
Jacob

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to