proxenet_ssl_ioctl does not check for null parameters
thorgul opened this issue · 1 comments
thorgul commented
proxenet_ssl_ioctl uses func, buf and ssl parameters without checking if they are NULL, as well as size with 0 and -1.
If one of those would occur, proxenet SIGSEGV. See the following stack trace:
gdb-peda$ bt
#0 0x00007ff6b82e5c45 in __memcpy_ssse3_back () from /lib64/libc.so.6
#1 0x00007ff6b98d0f10 in ssl_write () from /usr/lib64/libpolarssl.so.0
#2 0x000000000040892e in proxenet_ssl_ioctl (func=0x402cb0 <ssl_write@plt>, buf=0x0, count=0xffffffffffffffff, ssl=<optimized out>) at ssl.c:260
#3 0x0000000000408ecb in proxenet_ssl_write (sock=<optimized out>, buf=<optimized out>, count=<optimized out>, ssl_sess=<optimized out>) at ssl.c:310
#4 0x00000000004048c9 in proxenet_process_http_request (server_socket=0xe) at core.c:440
#5 0x0000000000404dc8 in process_thread_job (arg=0x6f32b0) at core.c:675
#6 0x00007ff6b9b02ef1 in start_thread () from /lib64/libpthread.so.0
#7 0x00007ff6b829e7ad in clone () from /lib64/libc.so.6
a simple fix would be to add the following before the main loop:
if (func == NULL || buf == NULL || ssl == NULL || size == 0 || size = -1)
return retcode;