Headline
CVE-2022-38668: Fix stack data disclosure when returning static files smaller than 16KiB by mrozigor · Pull Request #523 · CrowCpp/Crow
HTTP applications (servers) based on Crow through 1.0+4 may reveal potentially sensitive data from stack memory when fulfilling a request for a static file smaller than 16 KB.
— include/crow/http_connection.h (before formatting) +++ include/crow/http_connection.h (after formatting) @@ -389,7 +389,7 @@ if (res.file_info.statResult == 0) { std::ifstream is(res.file_info.path.c_str(), std::ios::in | std::ios::binary); - std::vector<asio::const_buffer> buffers {1};
std::vector<asio::const\_buffer> buffers{1}; char buf\[16384\]; is.read(buf, sizeof(buf)); while (is.gcount() > 0)