You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2002/11/18 07:02:54 UTC

DO NOT REPLY [Bug 14631] New: - Passing unsafe_source data buffer to strstr

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14631>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14631

Passing unsafe_source data buffer to strstr

           Summary: Passing unsafe_source data buffer to strstr
           Product: Apache httpd-2.0
           Version: 2.0.43
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: mod_negotiation
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: rdg12@stanford.edu


I am running a checker over the Apache source tree to look for bugs.  The 
checker marked the following code as a potential bug.  The
apr_file_read function is used to read data into a buffer buf.  It is my 
understanding that apr_file_read does not null terminate the buffer it writes 
to.  This read is then followed by a strstr command which can potentially 
return misleading results if the buffer is not terminated (either accidentally 
or maliciously).

[BUG] - I think
/u1/rdg12/net/httpd-2.0.43/modules/mappers/mod_negotiation.c:813:get_body: 
ERROR:USER:808:813:passing unsafe_source data buffer to strstr
    /* We are at the first character following a body:tag\n entry 
     * Suck in the body, then backspace to the first char after the 
     * closing tag entry.  If we fail to read, find the tag or back
     * up then we have a hosed file, so give up already
     */
Start --->
    if (apr_file_read(map, buffer, len) != APR_SUCCESS) {
        return -1;
    }

    strncpy(buffer + *len, tag, taglen);
Error --->
    endbody = strstr(buffer, tag);
    if (endbody == buffer + *len) {
        return -1;
    }

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org