BF Specification of CVE-2017-17833

Missing reposition of the 'result' pointer leads to a dangling pointer due to reallocation of the same object via 'sendbuf', which, when used to resize (second reallocation) the object leads to a double free. If exploited, this can lead to a denial of service or an arbitrary (remote) code execution.



Bug ReportCode with BugCode with FixNVD Entry
MADThe pointer to an object is initialized, repositioned, or reassigned to an improper memory address.
MMNAn object is allocated, deallocated, or resized improperly.
RepositionChange the pointer to another position inside its object.
Reallocate-ExtendReserve a new larger piece of memory for an object at a new address, copy the object content there, reassign its pointer, and deallocate the previous piece of memory.
Code Defect BugThe operation has a bug, which is the first cause for the chain of weaknesses underlying a software security vulnerability. The bug must be fixed to resolve the vulnerability.
   Missing CodeThe entire operation implementation or a part of its specification is absent.
Address Error/FaultThe object address in use is wrong.
   Dangling PointerStill points to the address of its successfully deallocated object.
Memory Corruption/Disclosure Final ErrorAn exploitable or undefined system behavior caused by memory addressing, allocation, use, and deallocation bugs.
   Double FreeAn attempt to deallocate a deallocated object or via an uninitialized pointer.
Operation AttributeDefinition
MechanismShows how the buggy/faulty operation code is performed.
   SequentialThe operation is performed after iterating over the object elements.
   ExplicitThe operation is performed by a function/method call.
Source CodeShows where the buggy/faulty operation code is in the program -- in what kind of software.
   Third-PartyThe operation is in a third-party software.
Execution SpaceShows where the buggy/faulty operation code is running or with what privilege level).
   UserlandThe bugged code runs in an environment with privilege levels, but in unprivileged mode (e.g., ring 3 in x86 architecture).
Operand AttributeDefinition
Address StateShows where the address is in the memory layout.
   HeapThe object is a dynamically allocated data structure (e.g., via malloc() and new).
Size KindShows what the limit for traversal of the object is.
   UsedA supplied size for an object.