[Libwebsockets] Buffer overflow in HTTP relative redirect

Andy Green andy at warmcat.com
Mon Jun 18 12:52:53 CEST 2018



On 06/18/2018 06:15 PM, Silas Parker wrote:

> SUMMARY: AddressSanitizer: stack-buffer-overflow
> (~/libwebsockets/build/bin/libwebsockets-test-client+0x41aadc) in
> lws_strncpy

> I think the fix may be to add a -1 to the size value passed to
> lws_strncpy from client.c:783, it seems to fix it for this case at
> least.
> 
> diff --git a/lib/roles/http/client/client.c b/lib/roles/http/client/client.c
> index c4a4172a..bb721ec7 100644
> --- a/lib/roles/http/client/client.c
> +++ b/lib/roles/http/client/client.c
> @@ -785,7 +785,7 @@ lws_client_interpret_server_handshake(struct lws *wsi)
>                          q = strrchr(new_path, '/');
>                          if (q)
>                                  lws_strncpy(q + 1, p, sizeof(new_path) -
> -                                                       (q - new_path));
> +                                                       (q - new_path) - 1);
>                          else
>                                  path = p;
>                  }

Thanks, I pushed that patch on master + v3.0-stable.

In v2.4-stable and presumably earlier, it's actually OK already.

-Andy



More information about the Libwebsockets mailing list