CVE-2018-10945 mongoose越界访问

Hello , I found a vulneratility in mg_handle_cgi function
The function is in mongoose.c , line 8925

note line 8925 , n is assigned by nc->recv_mbuf.len - (hm->message.len - hm->body.len) ,
when I debug it , I found that nc->recv_mbuf.len=1024 and hm->message.len - hm->body.len is a small number.
this may lead n > hm->body.len , This would lead program to read the memory out of the hm->body’s memory.
And when I trigger this vulneratility many times (200+) , I got a null pointer dereference (uaf )

# Normal Produce

The Steps to produce the vulneratility
Step 1
Download the latest source of mongoose , and compile the code in directory examples/simplest_web_server
Then run it

This would start a http server on port 8000

Step 2
Use nc to send payload to the 8000 port

PS: the crash.fuzz file will attach with the email
Then we can get Segmentation fault (core dumped)

# Produce With gdb

If you want to produce the vulneratility in gdb， you should send many times (:may be 200+. payload to tigger crash
Step 1
Download and compile the source , and use gdb to start it.

ps: you should set follow-fork-mode parent

Step 2
Send the payload many times to the port

I write a shell script to do this.

Then We can see gdb got the crash

we can see that nc->iface is 0x0, and the code want nc->iface->vtable->tcp_send , this lead null pointer dereference
If you know the gibc malloc , you can find that nc is freed