Vigil@nce: BSD, denial of service via regcomp
November 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When an attacker can transmit a special regular expression to an
application using the regcomp() function, he can stop the
application.
– Severity: 1/4
– Creation date: 04/11/2011
IMPACTED PRODUCTS
– FreeBSD
– NetBSD
– OpenBSD
DESCRIPTION OF THE VULNERABILITY
The regcomp() function generates a data structure representing a
regular expression.
The "((.*)1,10)1,10etc." regular expression means "all
characters, as many times as required, and between 1 and 10 times,
and then between 1 and 10 times, etc.".
When regcomp() generates the data structure representing this
regular expression, the p_ere_exp() or p_bre_exp() function is
called recursively. This recursive call is almost infinite, so the
stack gets filled, and then a segmentation error occurs.
When an attacker can transmit a special regular expression to an
application using the regcomp() function, he can therefore stop
the application.
This vulnerability is a variant of VIGILANCE-VUL-10183
(https://vigilance.fr/tree/1/10183).
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/BSD-denial-of-service-via-regcomp-11125