Summary Groupware message receive integer overflow
Date 2004-08-26
CVE Number CVE-2004-0754
Discovered By Sean (infamous42md)
Fixed In Release 0.82


Integer overflow in memory allocation results in heap overflow. By passing the size variable as ~0, integer overflows to 0 when 1 is added in g_alloc(). A malloc(0) call results in 16 bytes of memory being allocated on IA- 32. Then we can overflow the heap when nm_read_all() is called next step. Usually cases like this suck for exploitation, because the len (~0) is so large that a following call to memcpy() or strcpy() will just run into kernel mem or unmapped address and fault. However in this case we read the data from the network via a read() call, so we can just stop sending data and close the connection to short out before ~0 bytes are read. However, this is triggered by input from the server, not directly from a client. Someone running a malicious groupware server could leverage this to run arbitrary code on the client.


Bounds checking was added.

We've launched the new site. Think we're missing something?
Read the blog post or Go to the old site