You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2002/11/18 07:02:54 UTC
DO NOT REPLY [Bug 14631] New: -
Passing unsafe_source data buffer to strstr
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14631>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14631
Passing unsafe_source data buffer to strstr
Summary: Passing unsafe_source data buffer to strstr
Product: Apache httpd-2.0
Version: 2.0.43
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: Other
Component: mod_negotiation
AssignedTo: bugs@httpd.apache.org
ReportedBy: rdg12@stanford.edu
I am running a checker over the Apache source tree to look for bugs. The
checker marked the following code as a potential bug. The
apr_file_read function is used to read data into a buffer buf. It is my
understanding that apr_file_read does not null terminate the buffer it writes
to. This read is then followed by a strstr command which can potentially
return misleading results if the buffer is not terminated (either accidentally
or maliciously).
[BUG] - I think
/u1/rdg12/net/httpd-2.0.43/modules/mappers/mod_negotiation.c:813:get_body:
ERROR:USER:808:813:passing unsafe_source data buffer to strstr
/* We are at the first character following a body:tag\n entry
* Suck in the body, then backspace to the first char after the
* closing tag entry. If we fail to read, find the tag or back
* up then we have a hosed file, so give up already
*/
Start --->
if (apr_file_read(map, buffer, len) != APR_SUCCESS) {
return -1;
}
strncpy(buffer + *len, tag, taglen);
Error --->
endbody = strstr(buffer, tag);
if (endbody == buffer + *len) {
return -1;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org