CVE-2016-9564 - Stack-Based Buffer Overflow in Boa 0.92r


A stack-based buffer overflow exists in send_redirect() function within Boa web server v0.92r, allowing remote attackers to create a Denial of Service attack via a HTTP GET request.

The CVE is located at

Boa 0.92r is available from

Other versions are available from


The vulnerability exists in response.c, on line 105, where url is being saved into buffer. A buffer overflow can occur since buffer has a size of 527 bytes (MAX_PATH_LENGTH, which is #define'd to be a value of 512, plus 15). The 15 bytes is for "Location: " on the left hand side of %s (url), and "\r\n\r\n" on the right hand side, which have string lengths of 11 and 4 characters respectively.

When compiled buffer is allocated at ebp - 0x217, sitting 535 bytes away from the saved ebp. Before getting to this function Boa prepends url with the protocol, hostname, colon and port (e.g. "http://hostname/") within init_get() function in get.c.

A GET request specifying a file with a long name using only forward slashes and dots can be formed and will overwrite the stack values. The minimum length of the file being requested can be >= 512 - the length of the prepended protocol, hostname and port + 4 bytes for saved ebp + 4 bytes for saved return address. For example, "GET "/."*600 HTTP/1.1\r\n\r\n".

Fixed Version

This vulnerability ceases to exist from version 0.93.14 onwards as the developers removed sprintf() calls wherever possible (

Code Snippets