You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by jo...@apache.org on 2004/09/15 13:26:50 UTC
cvs commit: apr-util/uri apr_uri.c
jorton 2004/09/15 04:26:50
Modified: . CHANGES
test testuri.c
uri apr_uri.c
Log:
* uri/apr_uri.c (apr_parse_uri): Fix input validation to avoid
passing negative length to memcpy for malformed IPv6 literal
addresses.
* test/testuri.c: Add tests for such malformed URIs.
Reviewed by: trawick, madhum
Revision Changes Path
1.138 +5 -0 apr-util/CHANGES
Index: CHANGES
===================================================================
RCS file: /home/cvs/apr-util/CHANGES,v
retrieving revision 1.137
retrieving revision 1.138
diff -d -w -u -r1.137 -r1.138
--- CHANGES 10 Aug 2004 03:45:43 -0000 1.137
+++ CHANGES 15 Sep 2004 11:26:49 -0000 1.138
@@ -1,5 +1,10 @@
Changes with APR-util 1.0
+ *) SECURITY: CAN-2004-0786 (cve.mitre.org)
+ Fix input validation in apr_uri_parse() to avoid passing negative
+ length to memcpy for malformed IPv6 literal addresses.
+ [Joe Orton]
+
*) Only install apu-$MAJOR-config and add appropriate detection code to
find_apu.m4 (APU_FIND_APU). [Max Bowsher <maxb ukf.net>]
1.9 +10 -1 apr-util/test/testuri.c
Index: testuri.c
===================================================================
RCS file: /home/cvs/apr-util/test/testuri.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -d -w -u -r1.8 -r1.9
--- testuri.c 22 Jun 2004 16:18:54 -0000 1.8
+++ testuri.c 15 Sep 2004 11:26:50 -0000 1.9
@@ -18,6 +18,7 @@
#include "testutil.h"
#include "apr_general.h"
+#include "apr_strings.h"
#include "apr_uri.h"
struct aup_test {
@@ -37,6 +38,10 @@
struct aup_test aup_tests[] =
{
+ { "http://[/::1]/index.html", APR_EGENERAL },
+ { "http://[", APR_EGENERAL },
+ { "http://[?::1]/index.html", APR_EGENERAL },
+
{
"http://127.0.0.1:9999/asdf.html",
0, "http", "127.0.0.1:9999", NULL, NULL, "127.0.0.1", "9999", "/asdf.html", NULL, NULL, 9999
@@ -166,10 +171,14 @@
const char *s = NULL;
for (i = 0; i < sizeof(aup_tests) / sizeof(aup_tests[0]); i++) {
+ char msg[256];
+
memset(&info, 0, sizeof(info));
t = &aup_tests[i];
rv = apr_uri_parse(p, t->uri, &info);
- ABTS_INT_EQUAL(tc, rv, t->rv);
+ apr_snprintf(msg, sizeof msg, "uri '%s': rv=%d not %d", t->uri,
+ rv, t->rv);
+ ABTS_ASSERT(tc, msg, rv == t->rv);
if (t->rv == APR_SUCCESS) {
ABTS_STR_EQUAL(tc, info.scheme, t->scheme);
ABTS_STR_EQUAL(tc, info.hostinfo, t->hostinfo);
1.22 +5 -5 apr-util/uri/apr_uri.c
Index: apr_uri.c
===================================================================
RCS file: /home/cvs/apr-util/uri/apr_uri.c,v
retrieving revision 1.21
retrieving revision 1.22
diff -d -w -u -r1.21 -r1.22
--- apr_uri.c 21 Jun 2004 15:50:55 -0000 1.21
+++ apr_uri.c 15 Sep 2004 11:26:50 -0000 1.22
@@ -357,11 +357,11 @@
if (*hostinfo == '[') {
v6_offset1 = 1;
v6_offset2 = 2;
- s = uri;
- do {
- --s;
- } while (s >= hostinfo && *s != ':' && *s != ']');
- if (s < hostinfo || *s == ']') {
+ s = memchr(hostinfo, ']', uri - hostinfo);
+ if (s == NULL) {
+ return APR_EGENERAL;
+ }
+ if (*++s != ':') {
s = NULL; /* no port */
}
}