Chris Solomon

Bug Report: Security problem in HTTP Server

Discussion created by Chris Solomon on Jul 30, 2014
Latest reply on Jul 30, 2014 by Daniel Chen

Hi,

I am just looking at the changes in MQX 4.1.0, and I happened to notice a minor bug in the HTTP server.

I don't think this will break anything, but it looks like the behavior is not as intended.

This is from httpsrv_task.c, line 824:

 

static void httpsrv_ses_free(HTTPSRV_SESSION_STRUCT *session)
{
    if (session)
    {
        if (session->request.path)
        {
            _mem_free(session->request.path);
        }
        if(session->request.auth.user_id)
        {
            _mem_free(session->request.auth.user_id);
        }
        if(session->buffer.data)
        {
            _mem_free(session->buffer.data);
        }
        _mem_zero(session, sizeof(session));
        _mem_free(session);
    }
}

 

It looks like the intention is to zero out the HTTPSRV_SESSION_STRUCT before freeing it, but using sizeof(session) is only going to zero the size of a pointer.

Since you are going to the trouble of zeroing the session structure immediately before freeing it the session struct must contain information that you consider sensitive, so this is probably a security problem.

 

Chris

Outcomes