polipo POC
Jacob Appelbaum
jacob at appelbaum.net
Wed Dec 9 13:55:28 UTC 2009
Darren Thurston wrote:
>
> #!/usr/bin/perl
> # estranged.pl
> # AKA
> # Polipo 1.0.4 Remote Memory Corruption 0day PoC
Cute.
> $payload = "GET / HTTP/1.1\r\nContent-Length: 2147483602\r\n\r\n";
>
The proof of concept works as advertised. Wheee.
Here's a simple patch (that probably breaks some requests and is
imperfect) to stop the proof of concept while we wait on upstream to
provide a real fix for it:
--- polipo-1.0.4/client.c 2008-01-08 14:56:45.000000000 +0200
+++ polipo-1.0.4-fixed/client.c 2009-12-09 15:30:53.000000000 +0200
@@ -998,7 +998,7 @@
return 1;
}
- if(connection->reqlen > connection->reqbegin) {
+ if(connection->reqlen > connection->reqbegin && (connection->reqlen
- connection->reqbegin ) > 0 ) {
memmove(connection->reqbuf, connection->reqbuf +
connection->reqbegin,
connection->reqlen - connection->reqbegin);
connection->reqlen -= connection->reqbegin;
Using memmove like that is extremely unsafe. :-(
Best,
Jacob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 155 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20091209/3b848a44/attachment.pgp>
More information about the tor-talk
mailing list