You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by co...@hyperreal.org on 1998/07/01 12:34:21 UTC
cvs commit: apache-1.3/src/support suexec.c
coar 98/07/01 03:34:21
Modified: src/support suexec.c
Log:
Redo the 'too few arguments' error reporting in a way that doesn't
do excessive unsafe string copying (which Marc pointed out was a
flaw in the last edit).
Revision Changes Path
1.41 +27 -1 apache-1.3/src/support/suexec.c
Index: suexec.c
===================================================================
RCS file: /export/home/cvs/apache-1.3/src/support/suexec.c,v
retrieving revision 1.40
retrieving revision 1.41
diff -u -r1.40 -r1.41
--- suexec.c 1998/06/20 11:07:38 1.40
+++ suexec.c 1998/07/01 10:34:20 1.41
@@ -261,10 +261,36 @@
if (argc < 4) {
char msgbuf[2048];
int i;
+ int clen;
+ static char *omsg = " {buffer overflow}";
+ int olen = strlen(omsg);
ap_snprintf(msgbuf, sizeof(msgbuf), "too few (%d) arguments:", argc);
+ clen = strlen(msgbuf);
for (i = 0; i < argc; i++) {
- ap_snprintf(msgbuf, sizeof(msgbuf), "%s [%s]", msgbuf, argv[i]);
+ int alen = strlen(argv[i]) + 4;
+ int rlen = sizeof(msgbuf) - clen - 1;
+ int oflow = (alen > rlen);
+
+ alen = oflow ? rlen : alen;
+ if (rlen > 1) {
+ msgbuf[clen++] = ' ';
+ alen--;
+ }
+ if (rlen > 2) {
+ msgbuf[clen++] = '[';
+ alen--;
+ }
+ ap_cpystrn(&msgbuf[clen], argv[i], alen);
+ if (oflow) {
+ ap_cpystrn(&msgbuf[sizeof(msgbuf) - olen - 1], omsg, olen + 1);
+ break;
+ }
+ else {
+ clen += alen - 2;
+ msgbuf[clen++] = ']';
+ msgbuf[clen] = '\0';
+ }
}
log_err("%s\n", msgbuf);
exit(101);