You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Dean Gaudet <dg...@arctic.org> on 1997/12/19 10:20:39 UTC
[PATCH] mod_negotiation small bug fix
The strip_paren_comments() function does the wrong thing when given a line
with an unterminated "-quoted string. It increments the variable hdr
twice, passing the \0 terminator.
This doesn't cause a buffer overflow exploit, and but maybe can cause a
segv.
Dean
Index: modules/standard/mod_negotiation.c
===================================================================
RCS file: /export/home/cvs/apachen/src/modules/standard/mod_negotiation.c,v
retrieving revision 1.61
diff -u -r1.61 mod_negotiation.c
--- mod_negotiation.c 1997/10/22 20:30:26 1.61
+++ mod_negotiation.c 1997/12/19 09:11:35
@@ -645,10 +645,11 @@
while (*hdr) {
if (*hdr == '"') {
- while (*++hdr && *hdr != '"') {
- continue;
- }
- ++hdr;
+ hdr = strchr(hdr, '"');
+ if (hdr == NULL) {
+ return;
+ }
+ ++hdr;
}
else if (*hdr == '(') {
while (*hdr && *hdr != ')') {
Re: [PATCH] mod_negotiation small bug fix
Posted by Martin Kraemer <Ma...@mch.sni.de>.
On Fri, Dec 19, 1997 at 01:20:39AM -0800, Dean Gaudet wrote:
> This [...] maybe can cause a
> segv.
+1.
Martin
--
| S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
| ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
| N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request