Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 570
    • Issues 570
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 100
    • Merge requests 100
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Issues
  • #2973
Closed
Open
Issue created Oct 22, 2021 by Evan Hunt@eachOwner

buffer overwrite in stats channel

httpd_request() is the read callback handler for the stats channel that reads incoming HTTP requests. It calls process_request(), which immediately calls memmove to append newly read data to the end of any previously read data in httpd->recvbuf. There's no length checking and recvbuf is only 1024 bytes. So if there are two successive reads of, say, 700 and 500 bytes, due to a browser sending an HTTP request with a ton of headers, it's possible to write past the end of the buffer.

I believe this was introduced in 9.17.4 when the statschannel was ported to use the netmgr in commit 69c1ee1c. It wouldn't have happened before because the caller supplies the buffer for isc_socket_recv().

(I'm setting this to confidential just in case I'm wrong about that.)

Assignee
Assign to
Time tracking