Darren Thurston wrote: > > #!/usr/bin/perl > # estranged.pl > # AKA > # Polipo 1.0.4 Remote Memory Corruption 0day PoC
Cute.
> $payload = "GET / HTTP/1.1\r\nContent-Length: 2147483602\r\n\r\n";
>
The proof of concept works as advertised. Wheee.
Here's a simple patch (that probably breaks some requests and is
imperfect) to stop the proof of concept while we wait on upstream to
provide a real fix for it:
--- polipo-1.0.4/client.c 2008-01-08 14:56:45.000000000 +0200
+++ polipo-1.0.4-fixed/client.c 2009-12-09 15:30:53.000000000 +0200
@@ -998,7 +998,7 @@
return 1;
}
- if(connection->reqlen > connection->reqbegin) {
+ if(connection->reqlen > connection->reqbegin && (connection->reqlen
- connection->reqbegin ) > 0 ) {
memmove(connection->reqbuf, connection->reqbuf +
connection->reqbegin,
connection->reqlen - connection->reqbegin);
connection->reqlen -= connection->reqbegin;
Using memmove like that is extremely unsafe. :-(
Best,
Jacob
signature.asc
Description: OpenPGP digital signature
