A copy-paste error in alloc_trash_buffers_per_thread() passes
global.tune.bufsize_large to alloc_small_trash_buffers() instead of
global.tune.bufsize_small. This sets small_trash_size = bufsize_large.
When tune.bufsize.large is configured, get_larger_trash_chunk() then
incorrectly matches a large buffer against small_trash_size at line
169 and "grows" it to a regular (smaller) buffer. b_xfer() at line
179 attempts to copy the large buffer's contents into the smaller one:
- Default builds (DEBUG_STRICT=1): BUG_ON in __b_putblk() aborts
the process -> remote DoS
- DEBUG_STRICT=0 builds: BUG_ON becomes ASSUME() and the compiler
elides the check -> heap overflow with attacker-controlled bytes
Reachable via the json converter (sample.c:2862) when escaping
~bufsize_large/6 control characters in attacker-supplied data such
as a request header or body.
Introduced in commit 92a24a4e875b ("MEDIUM: chunk: Add support for
small chunks"). No backport needed.
---
src/chunk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/chunk.c b/src/chunk.c
index 639c7315733c..e6d9a44a799b 100644
--- a/src/chunk.c
+++ b/src/chunk.c
@@ -233,7 +233,7 @@ static int alloc_trash_buffers_per_thread()
{
return (alloc_trash_buffers(global.tune.bufsize) &&
alloc_large_trash_buffers(global.tune.bufsize_large) &&
- alloc_small_trash_buffers(global.tune.bufsize_large));
+ alloc_small_trash_buffers(global.tune.bufsize_small));
}
static void free_trash_buffers_per_thread()
--
2.53.0
