Re: [libmicrohttpd] libmicrohttpd 0.9.71 released

[Markus Doppelbauer]

Hello,

The percent-encoded post-processor (current git ) segfaults.
ASAN reports: global-buffer-overflow
A testcase is attached.

Best wishes
Markus



-------- Weitergeleitete Nachricht --------
Von: Christian Grothoff <groth...@gnunet.org>
Antwort an: libmicrohttpd development and user mailinglist <
libmicrohttpd@gnu.org>
An: libmicrohttpd <libmicrohttpd@gnu.org>
Betreff: [libmicrohttpd] libmicrohttpd 0.9.71 released
Datum: Sun, 28 Jun 2020 22:04:49 +0200

Dear all,
I'm happy to announce the release of GNU libmicrohttpd 0.9.71.
This release fixes a potential buffer overflow and is thus considered
asecurity release. Please upgrade as soon as possible.  Thanks to
NicolasMora for finding and reporting the issue.
Additionally, the release fixes the following issues:
* Proper uncorking with GnuTLS to ensure 'last bytes' are  transmitted
over TLS connections even if we are congested* Fixes wrong values
returned by PostProcessor given certain  parser boundaries* Improved
documentation, fixed spelling mistakes* Fixed several socket handling
issues on OS X
Furthermore, the release introduces an 'enum MHD_Result' instead
of#defines for MHD_YES/MHD_NO. This is intended to make it easier to
checkfor certain API misuse bugs by providing better types (not
everything isan 'int').  While this does NOT change the binary API,
this change_will_ cause compiler warnings for all legacy code -- until
'int' isreplaced with 'enum MHD_Result'.
If you want your code to build without warnings on both older and
newerMHD releases, you may want to introduce a MHD_RESULT as done here:
https://git.gnunet.org/gnunet.git/tree/src/include/gnunet_mhd_compat.h

That said, this being a security release it may be a good time to
notbuild nicely against older versions.

Happy hacking!
Christian


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <microhttpd.h>

#define ARRAY_LENGTH(array)     (sizeof(array) / sizeof(array[0]))

enum PP_State
{
  PP_Error,
  PP_Done,
  PP_Init,
  PP_NextBoundary,
  PP_ProcessValue,
  PP_Callback,
  PP_ExpectNewLine,
  PP_ProcessEntryHeaders,
  PP_PerformCheckMultipart,
  PP_ProcessValueToBoundary,
  PP_PerformCleanup,
  PP_Nested_Init,
  PP_Nested_PerformMarking,
  PP_Nested_ProcessEntryHeaders,
  PP_Nested_ProcessValueToBoundary,
  PP_Nested_PerformCleanup
};
enum RN_State
{
  RN_Inactive = 0,
  RN_OptN = 1,
  RN_Full = 2,
  RN_Dash = 3,
  RN_Dash2 = 4
};
enum NE_State
{
  NE_none = 0,
  NE_content_name = 1,
  NE_content_type = 2,
  NE_content_filename = 4,
  NE_content_transfer_encoding = 8
};
struct MHD_PostProcessor
{
  struct MHD_Connection *connection;
  MHD_PostDataIterator ikvi;
  void *cls;
  const char *encoding;
  const char *boundary;
  char *nested_boundary;
  char *content_name;
  char *content_type;
  char *content_filename;
  char *content_transfer_encoding;
  char xbuf[2];
  size_t buffer_size;
  size_t buffer_pos;
  size_t xbuf_pos;
  uint64_t value_offset;
  size_t blen;
  size_t nlen;
  bool must_ikvi;
  bool must_unescape_key;
  enum PP_State state;
  enum RN_State skip_rn;
  enum PP_State dash_state;
  enum NE_State have;
};
static MHD_Result post_data_iterator( void *cls, enum MHD_ValueKind kind, const char *key, const char *filename, const char *content_type,
                               const char *transfer_encoding, const char *data, uint64_t off, size_t size )
{
    printf("%s", data );
    return MHD_YES;
}
int main( int argc, char *argv[] )
{
    struct MHD_PostProcessor *postprocessor = (struct MHD_PostProcessor *)calloc(1, sizeof(struct MHD_PostProcessor) + 131076+1);
    postprocessor->connection = nullptr;
    postprocessor->ikvi = post_data_iterator;
    postprocessor->cls = nullptr;
    postprocessor->encoding = MHD_HTTP_POST_ENCODING_FORM_URLENCODED;
    postprocessor->buffer_size = 131076;
    postprocessor->state = PP_Init;
    postprocessor->blen = 0;
    postprocessor->boundary = nullptr;
    postprocessor->skip_rn = RN_Inactive;
    const char *chunks[] = {
        "XXXXXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&XXXXXX=&XXXXXXXXXXXXXX=XXXX+&XXXXXXXXXXXXXXX=XXXXXXXXX&XXXXXXXXXXXXX=XXXX%XX%XXXXXX&XXXXXXXXXXX=XXXXXXXXX&XXXXXXXXXXXXX=XXXXXXXXXX&XXXXXXXXXXXXXXX=XX&XXXXXXXXXXXXXXX=XXXXXXXXX&XXXXXXXXXXXXX=XXXXXX&XXXXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
        "&XXXXXXXX=XXXX",
        "",
    };
    for( unsigned i=0; i < ARRAY_LENGTH(chunks); ++i )
    {
        const char *chunk = chunks[i];
        MHD_post_process( postprocessor, chunk, strlen(chunk) );
    }
    MHD_destroy_post_processor( postprocessor );
    printf("\n" );
    return EXIT_SUCCESS;
}