chicken-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Chicken-users] [SECURITY] Buffer overrun in some uses of read-string! p


From: Peter Bex
Subject: [Chicken-users] [SECURITY] Buffer overrun in some uses of read-string! procedure from "extras"
Date: Thu, 26 Sep 2013 21:02:16 +0200
User-agent: Mutt/1.4.2.3i

Hello CHICKEN users,

A problem was found with the read-string! procedure from the "extras"
unit, when used in a very particular way.  The manual says:

  [procedure] (read-string! NUM STRING [PORT [START]]) 

  Read or write NUM characters from/to PORT [...]
  If NUM is #f or not given, then all data up to the end-of-file
  is read[...].
  If no more input is available, read-string returns the
  empty string. read-string! reads destructively into the given
  STRING argument, but never more characters than would fit into
  STRING.

[http://wiki.call-cc.org/man/4/Unit%20extras#read-string]

It turned out that there was a missing check for the situation when
NUM was #f and the input size to be read from the port exceeded the
given buffer's (STRING's) size.  This will result in a buffer overrun,
which may lead to general corruption of the stack or heap, and
can potentially be used to execute arbitrary code.

The bug was fixed by changeset cd1b9775005ebe220ba11265dbf5396142e65f26
[http://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commit;h=cd1b9775005ebe220ba11265dbf5396142e65f26]

All currently released CHICKENs are vulnerable to this bug: all stable
versions up until 4.8.0.4, and all development snapshots up until 4.8.2.
CHICKEN 4.9.0 and 4.8.0.5 will include the fix, as will all development
snapshots starting with 4.8.3.

There is a simple workaround to be used in code that uses read-string!:
simply convert all (read-string! #f buf ...) invocations to
(read-string! (string-length buf) buf ...) or, if possible, use the
non-destructive read-string procedure from the same unit.

A quick scan of the egg repository pointed out that so far only
http-client seemed to be using read-string! in this manner.  This
has been fixed in http-client 0.6.1, so all users are advised to
at least upgrade this egg.

Kind regards,
The CHICKEN Team



reply via email to

[Prev in Thread] Current Thread [Next in Thread]