oss-sec mailing list archives
Re: CVE request: possible miniupnpc buffer overflow
From: Murray McAllister <mmcallis () redhat com>
Date: Thu, 01 May 2014 10:35:27 +1000
On a related note, I'm not sure if there are other issues close by. For example, in version 1.9, miniwget.c: 172 /* copy the remaining of the received data back to buf */ 173 n = header_buf_used - endofheaders; 174 memcpy(buf, header_buf + endofheaders, n); n and endofheaders are signed ints, and header_buf_used is unsigned. Mixing the types together (and the signed int in the memcpy) may warrant further investigation.
Upstream investigated this and found it to be safe. Cheers, -- Murray McAllister / Red Hat Security Response Team
Current thread:
- CVE request: possible miniupnpc buffer overflow Murray McAllister (Apr 29)
- Re: CVE request: possible miniupnpc buffer overflow Murray McAllister (Apr 30)
- Re: CVE request: possible miniupnpc buffer overflow Moritz Muehlenhoff (Jun 06)
- Re: CVE request: possible miniupnpc buffer overflow cve-assign (Jun 06)