bneradt opened a new issue, #13049: URL: https://github.com/apache/trafficserver/issues/13049
There is a non-released issue in 10.2.x and master reported by Ankit: A stack buffer overflow vulnerability exists in the URL port handling logic (`URLImpl::set_port()`), which can be triggered remotely via a malformed HTTP Host header containing multiple colons. ## Details The issue arises due to insufficient bounds checking when parsing the port number from the Host header. A malformed Host header (e.g., `test:8080:9090:1234`) may result in an unexpectedly large port value. This value is passed to `URLImpl::set_port()`, where a fixed-size stack buffer (`char value[6]`) is used to store the port string. When the port exceeds the expected range, this leads to a stack buffer overflow via `ink_fast_itoa()`. This vulnerability has been confirmed using AddressSanitizer (ASAN), which reports a stack-buffer-overflow during execution. ## Proof of Concept A simple HTTP request such as: ``` GET / HTTP/1.1 Host: test:8080:9090:1234 ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
