Skip to content

Commit

Permalink
fix potential UAF in header handling (CVE-2023-49606)
Browse files Browse the repository at this point in the history 
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889

this bug was brought to my attention today by the debian tinyproxy
package maintainer. the above link states that the issue was known
since last year and that maintainers have been contacted, but if
that is even true then it probably was done via a private email
to a potentially outdated email address of one of the maintainers,
not through the channels described clearly on the tinyproxy homepage:

> Feel free to report a new bug or suggest features via github issues.
> Tinyproxy developers hang out in #tinyproxy on irc.libera.chat.

no github issue was filed, and nobody mentioned a vulnerability on
the mentioned IRC chat. if the issue had been reported on github or
IRC, the bug would have been fixed within a day.
  • Loading branch information
@rofl0r
rofl0r committed May 5, 2024
1 parent 92289d5 commit 12a8484
Showing 1 changed file with 7 additions and 2 deletions.
9 changes: 7 additions & 2 deletions src/reqs.c
View file
Expand Up @@ -779,7 +779,7 @@ static int remove_connection_headers (orderedmap hashofheaders)
char *data;
char *ptr;
ssize_t len;
int i;
int i,j,df;

for (i = 0; i != (sizeof (headers) / sizeof (char *)); ++i) {
/* Look for the connection header. If it's not found, return. */
Expand All @@ -804,7 +804,12 @@ static int remove_connection_headers (orderedmap hashofheaders)
*/
ptr = data;
while (ptr < data + len) {
orderedmap_remove (hashofheaders, ptr);
df = 0;
/* check that ptr isn't one of headers to prevent
double-free (CVE-2023-49606) */
for (j = 0; j != (sizeof (headers) / sizeof (char *)); ++j)
if(!strcasecmp(ptr, headers[j])) df = 1;
if (!df) orderedmap_remove (hashofheaders, ptr);

/* Advance ptr to the next token */
ptr += strlen (ptr) + 1;
Expand Down

0 comments on commit 12a8484

Please sign in to comment.