You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2002/09/29 01:40:21 UTC
cvs commit: apache-1.3/src/support ab.c
jim 2002/09/28 16:40:21
Modified: src CHANGES
src/support ab.c
Log:
ab.c was using strncat incorrectly as well as not checking for possible
buffer overflow.
Revision Changes Path
1.1856 +3 -0 apache-1.3/src/CHANGES
Index: CHANGES
===================================================================
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1855
retrieving revision 1.1856
diff -u -r1.1855 -r1.1856
--- CHANGES 25 Sep 2002 23:22:33 -0000 1.1855
+++ CHANGES 28 Sep 2002 23:40:20 -0000 1.1856
@@ -1,5 +1,8 @@
Changes with Apache 1.3.27
+ *) Fix some possible overflows in ab.c noted by David Wagner.
+ [Jim Jagielski]
+
*) Included a patch submitted by Sander van Zoest (#9181) and
written by Michael Radwin whichs is essentially a work around
for the adding headers to error responses. As apache does not
1.67 +16 -15 apache-1.3/src/support/ab.c
Index: ab.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/support/ab.c,v
retrieving revision 1.66
retrieving revision 1.67
diff -u -r1.66 -r1.67
--- ab.c 17 Jul 2002 14:49:54 -0000 1.66
+++ ab.c 28 Sep 2002 23:40:20 -0000 1.67
@@ -1079,11 +1079,12 @@
* this is first time, extract some interesting info
*/
char *p, *q;
+ int qlen;
p = strstr(c->cbuff, "Server:");
- q = servername;
+ q = servername; qlen = sizeof(servername);
if (p) {
p += 8;
- while (*p > 32)
+ while (*p > 32 && qlen-- > 1)
*q++ = *p++;
}
*q = 0;
@@ -1575,9 +1576,9 @@
strcpy(content_type, optarg);
break;
case 'C':
- strncat(cookie, "Cookie: ", sizeof(cookie));
- strncat(cookie, optarg, sizeof(cookie));
- strncat(cookie, "\r\n", sizeof(cookie));
+ strncat(cookie, "Cookie: ", sizeof(cookie)-strlen(cookie)-1);
+ strncat(cookie, optarg, sizeof(cookie)-strlen(cookie)-1);
+ strncat(cookie, "\r\n", sizeof(cookie)-strlen(cookie)-1);
break;
case 'A':
/*
@@ -1589,9 +1590,9 @@
l = ap_base64encode(tmp, optarg, strlen(optarg));
tmp[l] = '\0';
- strncat(auth, "Authorization: Basic ", sizeof(auth));
- strncat(auth, tmp, sizeof(auth));
- strncat(auth, "\r\n", sizeof(auth));
+ strncat(auth, "Authorization: Basic ", sizeof(auth)-strlen(auth)-1);
+ strncat(auth, tmp, sizeof(auth)-strlen(auth)-1);
+ strncat(auth, "\r\n", sizeof(auth)-strlen(auth)-1);
break;
case 'P':
/*
@@ -1602,9 +1603,9 @@
l = ap_base64encode(tmp, optarg, strlen(optarg));
tmp[l] = '\0';
- strncat(auth, "Proxy-Authorization: Basic ", sizeof(auth));
- strncat(auth, tmp, sizeof(auth));
- strncat(auth, "\r\n", sizeof(auth));
+ strncat(auth, "Proxy-Authorization: Basic ", sizeof(auth)-strlen(auth)-1);
+ strncat(auth, tmp, sizeof(auth)-strlen(auth)-1);
+ strncat(auth, "\r\n", sizeof(auth)-strlen(auth)-1);
break;
case 'X':
{
@@ -1622,8 +1623,8 @@
}
break;
case 'H':
- strncat(hdrs, optarg, sizeof(hdrs));
- strncat(hdrs, "\r\n", sizeof(hdrs));
+ strncat(hdrs, optarg, sizeof(hdrs)-strlen(hdrs)-1);
+ strncat(hdrs, "\r\n", sizeof(hdrs)-strlen(hdrs)-1);
break;
case 'V':
copyright();