buffer overwrite in stats channel
httpd_request() is the read callback handler for the stats channel that reads incoming HTTP requests. It calls
process_request(), which immediately calls
memmove to append newly read data to the end of any previously read data in
httpd->recvbuf. There's no length checking and
recvbuf is only 1024 bytes. So if there are two successive reads of, say, 700 and 500 bytes, due to a browser sending an HTTP request with a ton of headers, it's possible to write past the end of the buffer.
I believe this was introduced in 9.17.4 when the statschannel was ported to use the netmgr in commit 69c1ee1c. It wouldn't have happened before because the caller supplies the buffer for
(I'm setting this to confidential just in case I'm wrong about that.)