GitLab

httpd_request() is the read callback handler for the stats channel that reads incoming HTTP requests. It calls process_request(), which immediately calls memmove to append newly read data to the end of any previously read data in httpd->recvbuf. There's no length checking and recvbuf is only 1024 bytes. So if there are two successive reads of, say, 700 and 500 bytes, due to a browser sending an HTTP request with a ton of headers, it's possible to write past the end of the buffer.

I believe this was introduced in 9.17.4 when the statschannel was ported to use the netmgr in commit 69c1ee1c. It wouldn't have happened before because the caller supplies the buffer for isc_socket_recv().

(I'm setting this to confidential just in case I'm wrong about that.)