Summary
httpnenv.c uses int for string lengths in an allocation size calculation. If the combined length overflows, calloc() allocates too little memory and the subsequent strcpy() writes out of bounds.
Affected Files
Details
int namelen = strlen(name);
int vallen = value ? strlen(value) : 0;
HTTPV *v = calloc(1, sizeof(HTTPV) + namelen + vallen);
The +2 for null terminators is also missing.
Fix
- Use
size_t for lengths.
- Add overflow check before addition.
- Add
+2 for the two null terminators.
Severity
HIGH
Summary
httpnenv.cusesintfor string lengths in an allocation size calculation. If the combined length overflows,calloc()allocates too little memory and the subsequentstrcpy()writes out of bounds.Affected Files
src/httpnenv.c:9-11Details
The
+2for null terminators is also missing.Fix
size_tfor lengths.+2for the two null terminators.Severity
HIGH