Bug #1217: Buffer overflow in WCCP recvfrom() call

The length argument of the WCCP recvfrom() call is
larger than it should be.  An attacker may send a
larger-than-normal WCCP packet and overflow a buffer.

Reported by the FSC Vulnerability Research Team

diff --git a/src/wccp.cc b/src/wccp.cc
index e40a3522069775d1b637d57b4dbc9d175a798716..d7edc20df85d1c8c3ac99f4687d952a7f561a03a 100644 (file)
--- a/src/wccp.cc
+++ b/src/wccp.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: wccp.cc,v 1.36 2005/01/28 09:05:25 serassio Exp $
+ * $Id: wccp.cc,v 1.37 2005/01/28 22:54:16 wessels Exp $
  *
  * DEBUG: section 80    WCCP Support
  * AUTHOR: Glenn Chisholm
@@ -39,7 +39,6 @@
 
 #define WCCP_PORT 2048
 #define WCCP_REVISION 0
-#define WCCP_RESPONSE_SIZE 12448
 #define WCCP_ACTIVE_CACHES 32
 #define WCCP_HASH_SIZE 32
 #define WCCP_BUCKETS 256
@@ -257,7 +256,7 @@ wccpHandleUdp(int sock, void *not_used)
 
     len = comm_udp_recvfrom(sock,
                             (void *) &wccp_i_see_you,
-                            WCCP_RESPONSE_SIZE,
+                            sizeof(wccp_i_see_you),
                             0,
 
                             (struct sockaddr *) &from,