BUG/MEDIUM: mux_h1: fix stack buffer overflow in h1_append_chunk_size()

The char tmp[10] buffer can only hold 8 hex digits + CRLF suffix. If chksz
exceeds 4GB (0xFFFFFFFF), the do-while loop writes more than 8 hex digits,
overflowing the stack buffer by 1+ bytes. In practice the buffer is aligned
from the end and leaves a 6-byte hole before it on 64-bit systems, leaving
enough room to be harmless, and 4 on 32-bit platforms which save it from
touching lower variables. So it is safe but just by luck.

Fix by increasing tmp[] to 18 bytes, sufficient for up to 16 hex digits
(2^64 - 1) plus CRLF.

diff --git a/src/mux_h1.c b/src/mux_h1.c
index 5f3bc3ec090a89f4f4a9654e1e61509a1bb298f4..5d9dcbbb9171e35e312d609bebc104bb91138481 100644 (file)
--- a/src/mux_h1.c
+++ b/src/mux_h1.c
@@ -1852,10 +1852,10 @@ static void h1_prepend_chunk_size(struct buffer *buf, size_t chksz, size_t lengt
  */
 static int h1_append_chunk_size(struct buffer *buf, size_t chksz)
 {
-       char     tmp[10];
+       char     tmp[18];
        char    *beg, *end;
 
-       beg = end = tmp+10;
+       beg = end = tmp+sizeof(tmp);
        *--beg = '\n';
        *--beg = '\r';
        do {