Darren Thurston wrote: > > #!/usr/bin/perl > # estranged.pl > # AKA > # Polipo 1.0.4 Remote Memory Corruption 0day PoC Cute. > $payload = "GET / HTTP/1.1\r\nContent-Length: 2147483602\r\n\r\n"; > The proof of concept works as advertised. Wheee. Here's a simple patch (that probably breaks some requests and is imperfect) to stop the proof of concept while we wait on upstream to provide a real fix for it: --- polipo-1.0.4/client.c 2008-01-08 14:56:45.000000000 +0200 +++ polipo-1.0.4-fixed/client.c 2009-12-09 15:30:53.000000000 +0200 @@ -998,7 +998,7 @@ return 1; } - if(connection->reqlen > connection->reqbegin) { + if(connection->reqlen > connection->reqbegin && (connection->reqlen - connection->reqbegin ) > 0 ) { memmove(connection->reqbuf, connection->reqbuf + connection->reqbegin, connection->reqlen - connection->reqbegin); connection->reqlen -= connection->reqbegin; Using memmove like that is extremely unsafe. :-( Best, Jacob
Attachment:
signature.asc
Description: OpenPGP digital signature