wwwoffle-2.7b and prior segfaults with negative Content-Length value

[qitest1 <qitest1 () bespin org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                QITEST1 SECURITY ADVISORY #005

wwwoffle-2.7b and prior segfaults with negative Content-Length value

PROGRAM DESCRIPTION
WWWOFFLE, World Wide Web Offline Explorer, is a proxy HTTP/FTP
server for computers with dial-up internet access.

DETAILS
When processing http requests, wwwoffled misinterprets the
"Content-Length" header field: it fails to handle negative
values properly. Consequently, if receiving a negative integer,
program segfaults in memcpy(), because its size argument (size_t n) 
should be an unsigned integer.
Remote overflow exploitation may be possible. Only child process
dies on segfault, so this does not constitutes a denial of service  
vulnerability effectively.

SOLUTION
wwwoffle_2.7c fixes this flaw. Alternatively, you can use the
following patch:

==8< wwwoffle-2.7b.patch
- --- wwwoffle-2.7b-old/src/parse.c     Sat Mar 23 15:28:36 2002
+++ wwwoffle-2.7b/src/parse.c   Fri Jul 12 16:52:46 2002
@@ -180,7 +180,7 @@
  if(!strcmp("POST",(*request_head)->method) ||
     !strcmp("PUT",(*request_head)->method))
    {
- -    if(length==-1)
+    if(length < 0)
       {free(url);return(NULL);}
 
     *request_body=CreateBody(length);
==8<

  --    -------------------------------------------
  ---- q1--    ----------------------------------------
  --    -------------------------------------------
  Web: http://bespin.org/~qitest1
  GPG public key: http://bespin.org/~qitest1/qitest1.gpg.key
  - --------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9Nmt+IrsshIyVmPkRAiWmAJ4rpSSEazUu5eR/JDNZx5aN+2o1iACggnOZ
tyltTOlBgy9tB3ZbQob0R7Q=
=ZNsX
-----END PGP SIGNATURE-----