Hello CHICKEN users, A problem was found with the read-string! procedure from the "extras" unit, when used in a very particular way. The manual says:
[procedure] (read-string! NUM STRING [PORT [START]]) Read or write NUM characters from/to PORT [...] If NUM is #f or not given, then all data up to the end-of-file is read[...]. If no more input is available, read-string returns the empty string. read-string! reads destructively into the given STRING argument, but never more characters than would fit into STRING. [http://wiki.call-cc.org/man/4/Unit%20extras#read-string] It turned out that there was a missing check for the situation when NUM was #f and the input size to be read from the port exceeded the given buffer's (STRING's) size. This will result in a buffer overrun, which may lead to general corruption of the stack or heap, and can potentially be used to execute arbitrary code. The bug was fixed by changeset cd1b9775005ebe220ba11265dbf5396142e65f26 [http://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commit;h=cd1b9775005ebe220ba11265dbf5396142e65f26] All currently released CHICKENs are vulnerable to this bug: all stable versions up until 4.8.0.4, and all development snapshots up until 4.8.2. CHICKEN 4.9.0 and 4.8.0.5 will include the fix, as will all development snapshots starting with 4.8.3. There is a simple workaround to be used in code that uses read-string!: simply convert all (read-string! #f buf ...) invocations to (read-string! (string-length buf) buf ...) or, if possible, use the non-destructive read-string procedure from the same unit. A quick scan of the egg repository pointed out that so far only http-client seemed to be using read-string! in this manner. This has been fixed in http-client 0.6.1, so all users are advised to at least upgrade this egg. Kind regards, The CHICKEN Team _______________________________________________ Chicken-users mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/chicken-users
