Summary
No proper validation of the length of user input in http_server_get_content_type_from_extension in /subsys/net/lib/http/http_server_core.c.
Details
There is no check whether &url[url_len - ct->extension_len] creates a pointer prior to url.
void http_server_get_content_type_from_extension(char *url, char *content_type,
size_t content_type_size)
{
size_t url_len = strlen(url);
HTTP_SERVER_CONTENT_TYPE_FOREACH(ct) {
char *ext = &url[url_len - ct->extension_len]; // (0) - Create pointer prior to url if url_len is less than ct->extension_len
if (strncmp(ext, ct->extension, ct->extension_len) == 0) { // (1) - Access of memory before url buffer
strncpy(content_type, ct->content_type, content_type_size);
return;
}
}
}
- (0) - Create pointer prior to
url if url_len is less than ct->extension_len
- (1) - Access of memory before
url buffer
PoC
I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.
Impact
An attacker could cause a segmentation fault or crash by causing memory to be read outside of the bounds of the buffer.
Patches
main: #80396
For more information
If you have any questions or comments about this advisory:
embargo: 2025-01-23
jonasspinner Reporter
Summary
No proper validation of the length of user input in
http_server_get_content_type_from_extensionin /subsys/net/lib/http/http_server_core.c.Details
There is no check whether
&url[url_len - ct->extension_len]creates a pointer prior tourl.urlifurl_lenis less thanct->extension_lenurlbufferPoC
I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.
Impact
An attacker could cause a segmentation fault or crash by causing memory to be read outside of the bounds of the buffer.
Patches
main: #80396
For more information
If you have any questions or comments about this advisory:
embargo: 2025-01-23