[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-wget] [bug #51576] wget incorrectly uses strncmp() and similar in m

From: anonymous
Subject: [Bug-wget] [bug #51576] wget incorrectly uses strncmp() and similar in many places
Date: Tue, 25 Jul 2017 17:21:46 -0400 (EDT)
User-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0


                 Summary: wget incorrectly uses strncmp() and similar in many
                 Project: GNU Wget
            Submitted by: None
            Submitted on: Tue 25 Jul 2017 09:21:45 PM UTC
                Category: Code Architecture
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: Derek
        Originator Email: address@hidden
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 1.19
        Operating System: None
         Reproducibility: Every Time
           Fixed Release: None
         Planned Release: None
              Regression: None
           Work Required: None
          Patch Included: None



Throughout the code, wget uses strncmp(), strncasecmp(), and similar
incorrectly.  For example, in http-ntlm.c (abbreviated):

/* return true on success, false otherwise */
ntlm_input (struct ntlmdata *ntlm, const char *header)
  if (0 != strncmp (header, "NTLM", 4))
    return false;

  header += 4;
  while (*header && c_isspace(*header))

  if (*header)

      ssize_t size;
      char *buffer = (char *) alloca (strlen (header));

      DEBUGP (("Received a type-2 NTLM message.\n"));

      size = wget_base64_decode (header, buffer);
      if (size < 0)
        return false;

If header is something like "NTLMQWIK" this code will incorrectly treat this
as if header was "NTLM" and try to parse "QWIK" as base64.

In this case, the bug looks to be harmless.  However this kind of error occurs
in many places in the code, although not all of its uses are incorrect.  I
have not made any effort to audit the code further to determine if any such
misuses are exploitable.

Other places where strn*cmp() functions are misused include wherever content
types are compared, e.g.:

http.c:      0 == strncasecmp (type, TEXTHTML_S, strlen (TEXTHTML_S)) ||

(e.g. "text/html_is_not_this_type" will incorrectly match).

Wherever these functions are used, the code should be carefully audited, and
except when comparing a prefix of a string is actually what is intended,
strn*cmp should be replaced by str*cmp().


Reply to this item at:


  Message sent via/by Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]