Skip to content

Stack-based overflow in process_request()

This issue looks like a stack based overflow in lib/isc/httpd.c:process_request() to me and i did not yet see anything that limits the lenght of the header to smaller than ISC_FORMATHTTPTIMESTAMP_SIZE. When the If-Modified-Since is long enough, the memmove() writes out of bounds.

                } else if (name_match(header, "If-Modified-Since")) {
                        char timestamp[ISC_FORMATHTTPTIMESTAMP_SIZE + 1];      
                        memmove(timestamp, header->value, header->value_len);  
                        timestamp[header->value_len] = 0;

                        /* Ignore the value if it can't be parsed */
                        (void)isc_time_parsehttptimestamp(
                                timestamp, &httpd->if_modified_since);
                }
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information