[Libwebsockets] IMPORTANT SECURITY update for v2.0 and master, less critical update for v1.7.x

Andy Green andy at warmcat.com
Wed Sep 14 21:28:25 CEST 2016


Hi -

Fabrice Gilot reported a problem with an overflow in POST processing on
the test server / plugins... on closer inspection it was sufficiently
protected already, but I had a basic misunderstanding about snprintf
return value semantics which meant it could quite easily not do its job
in the case multiple snprintfs are stacked one after the other.
 Basically snprintf truncates the buffer write, but I did not notice
until now that it does NOT truncate the reported length.

 - lws v1.7.x (in the distros) is not really affected by this, there
are only two instances of aggregating the write lengths over multiple
snprintf and they are in the test apps, not the library.  I updated it
anyway.

 - lws v2.0.x and master have many instances of this pattern.

I solved it by adding an lws_snprintf() wrapper whose return value is
truncated so it can be used safely in this way.  Because the test apps
use it, that must go in the public api, and because there is a change
the SONAME bumps from 7 or 8 to 7.1 or 8.1 depending on the version.

v1.7.9, v2.0.3 tags are released and master is also updated with a
patch, everyone should update.

Sorry for the inconvenience  orz

-Andy



More information about the Libwebsockets mailing list