View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0010253 | libmicrohttpd | digest authentication (HTTP) | public | 2025-08-14 20:03 | 2025-08-14 20:03 |
| Reporter | arthurscchan | Assigned To | |||
| Priority | high | Severity | major | Reproducibility | always |
| Status | new | Resolution | open | ||
| Summary | 0010253: Possible Heap Buffer Overflow in libmicrohttpd2 response_auth_digest.c | ||||
| Description | A heap-buffer-overflow is found when adding a Digest auth challenge header. The root cause is an incorrect allocation size in `response_add_auth_digest_challenge_alg()` function that uses the size of a pointer to the header struct rather than the size of the struct itself. Because the code then does pointer arithmetic `new_hdr + 1` (which advances by the size of the struct), the calculated string buffer (`hdr_str`) starts past the end of the allocated block, and later `memcpy()` writes overflow the heap. Faulty allocation (https://git.gnunet.org/libmicrohttpd2.git/tree/src/mhd2/response_auth_digest.c#n213) ```c /* ** Allocate ** */ new_hdr = (struct mhd_RespAuthDigestHeader *) malloc (sizeof(struct mhd_RespAuthDigestHeader *) + hdr_maxlen + 1); if (NULL == new_hdr) return MHD_SC_RESPONSE_HEADER_MEM_ALLOC_FAILED; hdr_str = (char *) (new_hdr + 1); ``` The `sizeof(...)` uses `sizeof(struct mhd_RespAuthDigestHeader *)` instead of `sizeof(struct mhd_RespAuthDigestHeader)` which returns the size of pointer(always 8 bytes in x64) instead of the size of the struct. Immediately after, `hdr_str` is computed as `(char*)(new_hdr + 1)`, and **`new_hdr + 1` advances by the size of the struct**, not by the size of a pointer, placing `hdr_str` outside the allocated region. After the faulty allocation, the function builds the header by repeatedly copying pieces into `hdr_str` (https://git.gnunet.org/libmicrohttpd2.git/tree/src/mhd2/response_auth_digest.c#n304) ```c memcpy(hdr_str + pos, hdr_pref_realm_pref.cstr, hdr_pref_realm_pref.len); ``` These writes land beyond the end of the originally allocated block and cause overflow. | ||||
| Additional Information | Found during the ongoing security audit carried out by Ada Logics and facilitated by OSTIF in the libmicrohttpd2 project. | ||||
| Tags | No tags attached. | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2025-08-14 20:03 | arthurscchan | New Issue |
