View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0005734||SOGo||SOPE||public||2023-04-10 15:41||2023-04-17 21:31|
|Platform||Server [Linux]||OS||Gentoo Linux||OS Version||17.1/hardened|
|Fixed in Version||5.8.3|
|Summary||0005734: Buffer Overflow in WOHttpTransaction|
After updating my system and SOPE and SOGo to 5.8.2, there's a buffer overflow thrown with each HTTP request.
The following is logged (with debug enabled):
The stack trace from the debugger looks as follows:
The source code in WOHttpTransaction.m:752 shows a buggy call to snprintf:
The size of "sizeof(buf)" is the full buffer size, but the address given to snprintf isn't the start of the buffer.
(gdb) f 8
|Steps To Reproduce|
Navigate your browser to the SOGo login page. Described error is thrown.
System uname: Linux-6.1.19-gentoo-x86_64-x86_64-AMD_Ryzen_5_5600G_with_Radeon_Graphics-with-glibc2.36
Reverting to SOGo 5.7.1 (the previously installed version) didn't help. I'm not totally sure as of now why the system is sending SIGABRT just now.
|Tags||No tags attached.|
The following patch fixed it for me:
... it might probably be better to add some checks here. this patch is just meant to get my install working again asap.
That's strange, however you're right. I would change this :
Can you confirm this is ok for you and works ?
Yes, I can confirmed that your patch works. sogod is not getting shot by SIGABRT.
From the snprintf man page:
So depending on the implementation of snprintf, the output is either truncated by a byte and the null byte is written, or the null byte will be omitted.
I'd like to propose a patch that simplifies the code passage a little and accounts for the trailing null byte.
With this patch the results in buf are correct (in a sense that all bytes are being written to it):
I'm ok, you're right the trailing null byte. For the rest of the code it is likely the same and simplify the condition.
|2023-04-10 15:41||jam||New Issue|
|2023-04-10 16:09||jam||Note Added: 0016818|
|2023-04-17 13:36||sebastien||Note Added: 0016833|
|2023-04-17 13:36||sebastien||Assigned To||=> sebastien|
|2023-04-17 13:36||sebastien||Status||new => feedback|
|2023-04-17 17:53||jam||Note Added: 0016839|
|2023-04-17 17:53||jam||Status||feedback => assigned|
|2023-04-17 21:31||sebastien||Note Added: 0016841|
|2023-04-17 21:31||sebastien||Status||assigned => resolved|
|2023-04-17 21:31||sebastien||Resolution||open => fixed|
|2023-04-17 21:31||sebastien||Fixed in Version||=> 5.8.3|