View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0010253 | libmicrohttpd2 | General | public | 2025-08-14 20:03 | 2025-09-07 01:01 |
| Reporter | arthurscchan | Assigned To | Karlson2k | ||
| Priority | high | Severity | major | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Fixed in Version | Git master | ||||
| Summary | 0010253: Possible Heap Buffer Overflow in libmicrohttpd2 response_auth_digest.c | ||||
| Description | A heap-buffer-overflow is found when adding a Digest auth challenge header. The root cause is an incorrect allocation size in `response_add_auth_digest_challenge_alg()` function that uses the size of a pointer to the header struct rather than the size of the struct itself. Because the code then does pointer arithmetic `new_hdr + 1` (which advances by the size of the struct), the calculated string buffer (`hdr_str`) starts past the end of the allocated block, and later `memcpy()` writes overflow the heap. Faulty allocation (https://git.gnunet.org/libmicrohttpd2.git/tree/src/mhd2/response_auth_digest.c#n213) ```c /* ** Allocate ** */ new_hdr = (struct mhd_RespAuthDigestHeader *) malloc (sizeof(struct mhd_RespAuthDigestHeader *) + hdr_maxlen + 1); if (NULL == new_hdr) return MHD_SC_RESPONSE_HEADER_MEM_ALLOC_FAILED; hdr_str = (char *) (new_hdr + 1); ``` The `sizeof(...)` uses `sizeof(struct mhd_RespAuthDigestHeader *)` instead of `sizeof(struct mhd_RespAuthDigestHeader)` which returns the size of pointer(always 8 bytes in x64) instead of the size of the struct. Immediately after, `hdr_str` is computed as `(char*)(new_hdr + 1)`, and **`new_hdr + 1` advances by the size of the struct**, not by the size of a pointer, placing `hdr_str` outside the allocated region. After the faulty allocation, the function builds the header by repeatedly copying pieces into `hdr_str` (https://git.gnunet.org/libmicrohttpd2.git/tree/src/mhd2/response_auth_digest.c#n304) ```c memcpy(hdr_str + pos, hdr_pref_realm_pref.cstr, hdr_pref_realm_pref.len); ``` These writes land beyond the end of the originally allocated block and cause overflow. | ||||
| Additional Information | Found during the ongoing security audit carried out by Ada Logics and facilitated by OSTIF in the libmicrohttpd2 project. | ||||
| Tags | No tags attached. | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2025-08-14 20:03 | arthurscchan | New Issue | |
| 2025-08-31 16:15 | Christian Grothoff | Status | new => confirmed |
| 2025-09-06 16:44 | Karlson2k | Note Added: 0025839 | |
| 2025-09-06 16:45 | Karlson2k | Assigned To | => Karlson2k |
| 2025-09-06 16:45 | Karlson2k | Status | confirmed => resolved |
| 2025-09-06 16:45 | Karlson2k | Resolution | open => fixed |
| 2025-09-06 16:45 | Karlson2k | Fixed in Version | => Git master |
| 2025-09-07 01:01 | root | Project | libmicrohttpd => libmicrohttpd2 |
| 2025-09-07 01:01 | root | Category | digest authentication (HTTP) => General |
