You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Charles Fu <cc...@klab.caltech.edu> on 1998/02/20 11:51:20 UTC

general/1847: ap_cpystrn has off by one error

>Number:         1847
>Category:       general
>Synopsis:       ap_cpystrn has off by one error
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Fri Feb 20 03:00:00 PST 1998
>Last-Modified:
>Originator:     ccwf@klab.caltech.edu
>Organization:
apache
>Release:        1.3b5
>Environment:
Linux 2.0.33 i586 w/ glibc 2.0.5c
gcc 2.7.2.3
>Description:
In the normal case where dst_size doesn't end the copy, the null-terminated
string is copied, the pointer advanced, another null added, and the pointer
to the extra null is returned.
>How-To-Repeat:
Try doing a "RewriteCond %{REQUEST_METHOD} =GET", turn on the rewrite log, and
issue a GET request to the server.  The rewrite log will show that "input=''"
because the ap_cpystrn error results in incorrect concatenation.  (The input
winds up being \0GET\0\0\0.)
>Fix:
Try this replacement:

API_EXPORT(char *) ap_cpystrn(char *dst, const char *src, size_t dst_size)
{

    char *d, *end;

    if (!dst_size)
        return (dst);

    d = dst;
    end = dst + dst_size - 1;

    for (; d < end; ++d, ++src)
	if (!(*d = *src))
	    return (d);

    *d = '\0';	/* always null terminate */

    return (d);
}

%0
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]