Buffer overflow in gnutls-serv http code

Tomas Mraz tmraz at redhat.com
Thu Dec 2 15:24:31 CET 2010


The gnutls-serv uses fixed allocated buffer for the response which can
be pretty long if a client certificate is presented to it and the http
header is large. This causes buffer overflow and heap corruption which
then leads to random segfaults or aborts.

It was reported originally here:
https://bugzilla.redhat.com/show_bug.cgi?id=659259

The attached patch changes sprintf calls in peer_print_info() to
snprintf so the buffer is never overflowed.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutls-2.10.3-sprintf.patch
Type: text/x-patch
Size: 5328 bytes
Desc: not available
URL: </pipermail/attachments/20101202/0bd370e2/attachment.bin>


More information about the Gnutls-devel mailing list