You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Andrew Wilson <an...@aaaaaaaa.demon.co.uk> on 1996/04/06 19:29:33 UTC

WWW Form Bug Report: "redirect buffer overflow in mod_imap.c" on SunOS 4.x (fwd)

[this is an old one that slipped through, sorry for the late update...]

mod_imap.c (as of Sat Apr  6 18:25:42 BST 1996) Uses sprintf and
strcpy to concat/copy string which ultimately come from image map
config files defined by users.  The suggestion us that Joe Random
can crash the server by making lines of the config file too long
for the assumed SMALLBUF-long arrays.

You could fix this in one of two ways:

  replace sprintf/strcpy with snprintf/strncpy using n=SMALLBUF,
  though in the case of strncpy this would still not protect you
  against buffer overflow.  At any rate Joe Random might legitimately
  *want* a string longer than SMALLBUFF to be used, in which case
  you lose the end of the data he supplies.

OR

  replace the idium:

  char foo[N]
  char bar[N]
  sprintf(foo, "whatever%s", bar)

  with

  char *foo;
  char *bar;
  foo = pstrcat( "whatever", foo, NULL );
  bar = pstrdup( foo );

  This second approach also means that you don't run the risk of
  losing user data.

So.  Is anyone deep enough into mod_imap.c at the moment to put
these changes into affect, or do I get to rewrite the module (with
a large rusty knife), a process I would not relish since the module
clearly isn't being improved by the large number of rewrites it's
already had. ;)

Ay.

Forwarded message:
> From nobody@hyperreal.com  Fri Mar  8 14:56:42 1996
> Message-Id: <19...@taz.hyperreal.com>
> From: mhpower@mit.edu
> To: apache-bugs%apache.org@organic.com
> Date: Thu Mar  7 20:02:00 1996
> Subject: WWW Form Bug Report: "redirect buffer overflow in mod_imap.c" on SunOS 4.x
> 
> Submitter: mhpower@mit.edu
> Operating system: SunOS 4.x, version: 4.1.4
> Extra Modules used: imap_module
> URL exhibiting problem: 
> 
> Symptoms:
> --
> >#define MAXLINE 500
> ...
>     char redirect[MAXLINE];
> ...
> 
> I believe the statement
> 
>    sprintf (redirect, "%s%s", base_uri, mapurl);
> 
> can write more than 500 characters to redirect,
> which may have various unfortunate consequences
> depending on the platform and compiler. This
> might come up if a user's map file contained
> something like
> 
>    base_uri referer
>    default /490-character-string
> 
> Currently, we have a temporary fix on
> www.mit.edu that checks the lengths of base_uri
> and mapurl before this sprintf (with similar
> checks before the other two occurrences of
> "sprintf (redirect").