Buffer overflow in HTTP Authentication client (with solution)
-------------------------------------------------------------
Key: AXIS2C-974
URL: https://issues.apache.org/jira/browse/AXIS2C-974
Project: Axis2-C
Issue Type: Bug
Components: transport/http
Affects Versions: 1.2.0, Current (Nightly), 1.3.0
Environment: Axis + Visual C++ 6
Reporter: Stefano Pettini
Priority: Critical
Fix For: 1.2.0, 1.3.0
Bug is present in 1.3.0-RC1 announced by Dinesh on 7/2/2008 too.
In file /src/core/transport/http/sender/http_sender.c, functions
axis2_http_sender_configure_http_basic_auth and
axis2_http_sender_configure_proxy_basic_auth use sprintf without allocating
enough bytes to hold the null string terminator.
Line 1295, int plen = axutil_strlen (uname) + axutil_strlen (passwd) + 1 is not
correct, should be +2.
Line 1302, elen = axutil_base64_encode_len (plen) is not correct, a +1 should
be added.
Similar fixes should be applied to lines 1423 and 1430.
Please note that memory allocation for auth_str (using elen + 6) is risky for
the future. If "Basic" is substituted with "Digest" the +6 becomes incorrect,
causing another buffer overflow.
Thank you,
Stefano.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
