第一处:
/src/wn_module.c 172行-179行
char *path_gz = wn_malloc(strlen(request->path) + 4);
if (path_gz != RT_NULL)
{
sprintf(path_gz, "%s.gz", request->path);
stat_result = stat(request->path, &file_stat);
wn_free(path_gz);
}
如果这里的strlen(request->path)=0xfffffffe,加上4之后发生整数溢出,wn_malloc的实际大小变为1,后续的sprintf操作将会导致堆溢出。
第二处:
/src/wn_module.c 235行-239行
char path_gz = wn_malloc(strlen(request->path) + 4); / ".gz\0" */
if (path_gz != RT_NULL)
{
sprintf(path_gz, "%s.gz", request->path);
如果这里的strlen(request->path)为0xfffffffe,加上4发生整数溢出变成3,wn_malloc分配的堆大小为3,后续的sprintf拷贝将导致堆溢出。
第三处:
/samples/wn_sample_upload.c 85行-97行
path_size = strlen(sd_upload) + strlen(upload_dir)
+ strlen(file_name);
path_size += 4;
file_path = (char *)rt_malloc(path_size);
if(file_path == RT_NULL)
{
fd = -1;
goto _exit;
}
sprintf(file_path, "%s/%s/%s", sd_upload, upload_dir, file_name);
如果85行处的path_size=0xfffffffe,加上4发生整数溢出变成3,导致rt_malloc分配的堆块大小为3,后续的sprintf操作将导致堆溢出。
第一处:
/src/wn_module.c 172行-179行
char *path_gz = wn_malloc(strlen(request->path) + 4);
if (path_gz != RT_NULL)
{
sprintf(path_gz, "%s.gz", request->path);
stat_result = stat(request->path, &file_stat);
wn_free(path_gz);
}
如果这里的strlen(request->path)=0xfffffffe,加上4之后发生整数溢出,wn_malloc的实际大小变为1,后续的sprintf操作将会导致堆溢出。
第二处:
/src/wn_module.c 235行-239行
char path_gz = wn_malloc(strlen(request->path) + 4); / ".gz\0" */
if (path_gz != RT_NULL)
{
sprintf(path_gz, "%s.gz", request->path);
如果这里的strlen(request->path)为0xfffffffe,加上4发生整数溢出变成3,wn_malloc分配的堆大小为3,后续的sprintf拷贝将导致堆溢出。
第三处:
/samples/wn_sample_upload.c 85行-97行
path_size = strlen(sd_upload) + strlen(upload_dir)
+ strlen(file_name);
path_size += 4;
file_path = (char *)rt_malloc(path_size);
if(file_path == RT_NULL)
{
fd = -1;
goto _exit;
}
sprintf(file_path, "%s/%s/%s", sd_upload, upload_dir, file_name);
如果85行处的path_size=0xfffffffe,加上4发生整数溢出变成3,导致rt_malloc分配的堆块大小为3,后续的sprintf操作将导致堆溢出。