

Integer overflow in nginx - qzio
http://www.securityfocus.com/archive/1/526439/30/0/threaded

======
linuxsec
Looking for details..

~~~
ZephyrP
haven't contacted the author but he describes his supposed route. I'm trying
to replicate his results and there is indeed a possible integer overflow
condition but I'd be doubtful of reports of successful exploitation with
systems linked with a newer version of glibc w/ heap consistency checking,
stackguard &/| aslr.

<http://lxr.evanmiller.org/http/source/core/ngx_log.h#L120> contains a few
functions (2, 5 I've found so far) that write data in a (at a quick glance)
safe fashion, I guess you might be able to give someone wierd logfiles.

I've been over every file that referenced by ngx_http_request_t
<http://lxr.evanmiller.org/http/ident?i=ngx_http_request_t> looking for
buffers, directly or indirectly using a value derived from a
ngx_http_request->count (not -> main -> count), and although the bug condition
he describes is possibly real, I'd love to see an RCE proof of concept from
the author.

