[CVE-2018-12686] Integer Overflow caused Heap buffer overflow in CivetWeb
Reported on : 2 Jun 2018 Shipped on : 28 Jun 2018 Type : Integer Overflow / Heap Buffer Overflow In Function : CivetServer::getParam "Content-Length" is user-supplied, hence con_len_str could be a negative number (-1). Then the signed int is converted into unsigned int, which will pass the check con_len > 0, and then malloc(-1 + 1) = malloc(0) , and mg_read will write data out-of-bound far over from here cause a heap buffer overflow. One attack scenario is when the server enables SSL (combined with OpenSSL), an attacker could overwrite the SSL_ctx object and thus the mg_write-->SSL_write(function pointer is overwritten) will cause a remote code execution.