-------- Original Message --------
Subject: FreeNSIS 0.6.0 buffer overflow
Date: Tue, 8 Jul 2008 13:36:18 +0200
From: Nuutti Varis <nvaris(a)cs.helsinki.fi>
To: Fu, Xiaoming <fu(a)cs.uni-goettingen.de>
Greetings,
There's a rather limiting issue in the FreeNSIS 0.6.0 release, causing
a crash in GIST. In file SocketEventHandler.cpp, the
SocketEventHandler::recvCModeMessage method seems to presume that the
incoming data from a C-mode connection is always a maximum of 512
bytes, as indicated by line 157 in the source code.
Additionally, the length of the buffer is not checked in the socket
instance's recvMsg method (seems to use the regular recvMsg method of
Socket.cpp in the case of TCP). This essentially causes an issue,
where relatively small NSLPData (seems to be at minimum 468 bytes)
objects cause memory corruption, due to buffer overflow in recvMsg
method, and consequently, a crash in GIST.
The previous version (0.5.1-dev) handled C-mode sockets differently,
and as such, do not crash due to a larger buffer that is allocated in
the SocketEventHandler::recvCModeMessage method.
Best Regards,
Nuutti Varis