Issue 160 in shellinabox: Missing null termination in httpGetURL, urlGetURL

[shell...@googlecode.com]

Status: New
Owner: ----
Labels: Type-Defect Priority-Medium

New issue 160 by anders.kaseorg: Missing null termination in httpGetURL,
urlGetURL
http://code.google.com/p/shellinabox/issues/detail?id=160

The strncat() calls in httpGetURL and urlGetURL do not ensure that long
strings are null terminated. This patch corrects that by using calloc
instead of malloc.

(This probably isn’t currently exploitable because :port can’t be 25
characters long, but should be fixed anyway.)

Attachments:
0001-httpGetURL-urlGetURL-Ensure-null-termination.patch 2.5 KB

[shell...@googlecode.com]

Comment #1 on issue 160 by Jayschwa: Missing null termination in
httpGetURL, urlGetURL
http://code.google.com/p/shellinabox/issues/detail?id=160

strncat() always appends a null byte according to:
http://pubs.opengroup.org/onlinepubs/009604599/functions/strncat.html

I am unsure why this change is necessary. Can you clarify?

[shell...@googlecode.com]

Comment #2 on issue 160 by anders.kaseorg: Missing null termination in
httpGetURL, urlGetURL
http://code.google.com/p/shellinabox/issues/detail?id=160

Yeah, you’re right, you can ignore this patch.

[shell...@googlecode.com]

Comment #3 on issue 160 by Jayschwa: Missing null termination in
httpGetURL, urlGetURL
http://code.google.com/p/shellinabox/issues/detail?id=160

How about the size parameter? Is there a potential for overflow, as was the
case in your #159?