🚨 Critical Vulnerability Alert 🚨
🔍 CVE-2023-49606 is a critical use-after-free vulnerability discovered in Tinyproxy, a lightweight HTTP/S proxy server. This flaw is present in the handling of HTTP Connection Headers within the versions 1.11.1 and 1.10.0 of Tinyproxy. This vulnerability allows for potential denial of service (DoS) attacks and, under specific circumstances, could lead to remote code execution (RCE).
📈 CVSS Score: 9.8 (Critical)
The vulnerability stems from improper management of memory when handling HTTP headers. The source code in http-message.c handles memory operations for HTTP headers, including allocation, reallocation, and deallocation. The issue likely arises in the context of memory reallocation and subsequent access to freed memory, which is not correctly nullified.
Here is an excerpt of the relevant code from http-message.c:
/* Function to add headers to the HTTP message structure */
void http_message_add_headers(http_message_t *msg, const char **headers, unsigned int num_headers) {
const char **new_headers;
unsigned int i;
if (headers == NULL) {
return;
}
// Check if there is enough space, if not, reallocate
if (msg->headers.used + num_headers > msg->headers.total) {
new_headers = (const char **) safecalloc (msg->headers.total * 2, sizeof(char *));
if (new_headers == NULL) {
return; // Allocation failed, potential for use-after-free if not handled
}
// Copy existing headers to the new array
for (i = 0; i != msg->headers.used; ++i) {
new_headers[i] = msg->headers.strings[i];
}
safefree(msg->headers.strings); // Free old array
msg->headers.strings = new_headers; // Danger if old pointers are used post this point
msg->headers.total *= 2;
}
// Add new headers to the structure
for (i = 0; i != num_headers; ++i) {
msg->headers.strings[i + msg->headers.used] = headers[i];
}
msg->headers.used += num_headers;
}