2024-06-20 01:29 BST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0002875NetSurf[All Projects] Generalpublic2024-05-28 14:54
ReporterFelix Albrigtsen 
Assigned To 
SeveritycrashReproducibilityalways 
StatusnewResolutionopen 
PlatformGTKOSLinuxOS VersionDebian 13 Trixie
Product Version3.11 
Target VersionFixed in Version 
Summary0002875: Stack buffer overflow in idna_encode
DescriptionThis buffer overflow can be reached when NetSurf is handling "href" and "src" attributes in many different HTML elements, or when passing a URL on the command line.

In idna_encode, fqdn is created as a character buffer holding 256 bytes.
When called through nsurl_create and nsurl__create_from_section, the second argument, len, contains the correct value, but there is no limitations or checks on how long the host string can be.

This means that when strncpy is used to copy the provided host string to the fqdn buffer, it can be overflowed if the host string is longer than 256 bytes.
This causes a crash at minimum, and on builds without a stack canary it can be used to control the instruction pointer.

The HTML file shown below uses an offset of 312 bytes, followed by three f’s to set the last three bytes of the instruction pointer to \x66\x66\x66.
URL encoded bytes can also be used to change the instruction pointer to both lower and upper case ASCII. The number 3 is arbitrarily chosen to show a possible "relative jump" in a relocatable binary, but you can overwrite the entire instruction pointer or other things on the stack as well.

The offset 312 works for me on a 64-bit linux system with GCC, but might differ on other platforms.
Steps To Reproduce- Build/Install NetSurf 3.11, for example from the Debian 13 repositories (`# apt install netsurf-gtk`)
- Open a page with a long URL as described aboce (For example, with the file ./bof.html, run `$ netsurf-gtk file://$(pwd)/bof.html`)

Example HTML file showing the problem:

<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
</head>
<body>
    http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAfff
</body>
</html>
Additional InformationTested with NetSurf 3.11 on Debian(testing) and NixOS (unstable).
I have not tested any other platforms.
TagsNo tags attached.
Fixed in CI build #
Reported in CI build #
URL of problem page
Attached Files

-Relationships
+Relationships

+Notes

-Issue History
Date Modified Username Field Change
2024-05-28 14:24 Felix Albrigtsen New Issue
2024-05-28 14:54 Felix Albrigtsen Note Added: 0002462
+Issue History