You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ia...@apache.org on 2004/11/19 18:54:55 UTC
svn commit: r105806 - httpd/mod_pop3/trunk
Author: ianh
Date: Fri Nov 19 03:21:37 2004
New Revision: 105806
Modified:
httpd/mod_pop3/trunk/modules.mk
httpd/mod_pop3/trunk/pop_core.c
httpd/mod_pop3/trunk/pop_protocol.c
Log:
Fix Buffer Overflow -- Thanks to Edward Rudd (www.outoforder.cc)
Make code compile under httpd-2.1
Modified: httpd/mod_pop3/trunk/modules.mk
==============================================================================
--- httpd/mod_pop3/trunk/modules.mk (original)
+++ httpd/mod_pop3/trunk/modules.mk Fri Nov 19 03:21:37 2004
@@ -1,5 +1,5 @@
-mod_pop.la: pop_core.lo pop_protocol.lo pop_mbox.lo
- $(MOD_LINK) pop_core.lo pop_protocol.lo pop_mbox.lo
+libmod_pop.la: pop_core.lo pop_protocol.lo pop_mbox.lo
+ $(MOD_LINK) pop_core.lo pop_protocol.lo pop_mbox.lo $(MOD_POP_LDADD)
DISTCLEAN_TARGETS = modules.mk
-static = mod_pop.la
+static = libmod_pop.la
shared =
Modified: httpd/mod_pop3/trunk/pop_core.c
==============================================================================
--- httpd/mod_pop3/trunk/pop_core.c (original)
+++ httpd/mod_pop3/trunk/pop_core.c Fri Nov 19 03:21:37 2004
@@ -163,7 +163,8 @@
const char *buf;
const char *pos;
- APR_BRIGADE_FOREACH(e, bb) {
+ while ( !APR_BRIGADE_EMPTY( bb ) ) {
+ e = APR_BRIGADE_FIRST(bb);
apr_size_t len = e->length;
if (e->length != 0) {
@@ -205,7 +206,9 @@
break;
}
}
+
}
+ apr_bucket_delete(e);
}
return ap_pass_brigade(f->next, bb);
}
Modified: httpd/mod_pop3/trunk/pop_protocol.c
==============================================================================
--- httpd/mod_pop3/trunk/pop_protocol.c (original)
+++ httpd/mod_pop3/trunk/pop_protocol.c Fri Nov 19 03:21:37 2004
@@ -73,16 +73,16 @@
#include <sys/types.h>
#include <assert.h>
-static void md5_convert(unsigned char digest[(2 * MD5_DIGESTSIZE) + 1])
+static void md5_convert(unsigned char digest[(2 * APR_MD5_DIGESTSIZE) + 1])
{
char *ptr;
int i;
- unsigned char hash[MD5_DIGESTSIZE];
+ unsigned char hash[APR_MD5_DIGESTSIZE];
const char *hex = "0123456789abcdef";
- memcpy(hash, digest, MD5_DIGESTSIZE);
+ memcpy(hash, digest, APR_MD5_DIGESTSIZE);
- for (i = 0, ptr = digest; i < MD5_DIGESTSIZE; i++) {
+ for (i = 0, ptr = digest; i < APR_MD5_DIGESTSIZE; i++) {
*ptr++ = hex[hash[i] >> 4];
*ptr++ = hex[hash[i] & 0xF];
}
@@ -95,7 +95,7 @@
apr_finfo_t finfo;
pop_user_rec *ur = (pop_user_rec *)ap_get_module_config(r->request_config,
&pop_module);
- unsigned char *digest = apr_pcalloc(ur->p, 2 * MD5_DIGESTSIZE + 1);
+ unsigned char *digest = apr_pcalloc(ur->p, 2 * APR_MD5_DIGESTSIZE + 1);
apr_stat(&finfo, r->filename, APR_FINFO_SIZE, ur->p);
apr_mmap_create(&mm, ur->fp, 0,
@@ -110,20 +110,25 @@
int process_pop_connection_internal(request_rec *r, apr_bucket_brigade *bb)
{
- char *buffer = apr_palloc(r->pool, POP_STRING_LENGTH);
+ char cmdbuff[POP_STRING_LENGTH];
+ char *buffer; /* a pointer to cmdbuff */
char *command;
int invalid_cmd = 0;
apr_size_t len;
pop_handler_st *handle_func;
+ apr_pool_t *p;
pop_user_rec *ur = (pop_user_rec *)ap_get_module_config(r->request_config,
&pop_module);
+ apr_pool_create(&p, r->pool);
r->uri = apr_pstrdup(r->pool, "pop:");
ap_run_map_to_storage(r);
while (1) {
int res;
+ buffer = cmdbuff; /* reset buffer pointer */
+ apr_pool_clear(p);
if ((invalid_cmd > MAX_INVALID_CMD) ||
ap_rgetline(&buffer, POP_STRING_LENGTH, &len, r, 0, bb) != APR_SUCCESS)
@@ -131,7 +136,8 @@
break;
}
- command = ap_getword_white_nc(r->pool, &buffer);
+ /* The command moves the pointer of buffer to the end of the extracted string */
+ command = ap_getword_white_nc(p, &buffer);
ap_str_tolower(command);
handle_func = apr_hash_get(ap_pop_hash, command, APR_HASH_KEY_STRING);
@@ -152,6 +158,7 @@
break;
}
}
+
return OK;
}
@@ -231,11 +238,15 @@
pop_msg *msg;
apr_size_t i = 0, j = 0;
- APR_RING_FOREACH(msg, &(mbox)->list, pop_msg, link) {
+ /* APR_RING_FOREACH(msg, &(mbox)->list, pop_msg, link) { */
+ while ( !APR_RING_EMPTY( &(mbox)->list, pop_msg, link )) {
+ msg = APR_RING_FIRST( &(mbox)->list );
+
if (!msg->deleted) {
i++;
j += (msg->msg_end - msg->header_start + 1);
}
+ APR_RING_REMOVE( msg, link);
}
*num = i;
*size = j;
@@ -456,7 +467,8 @@
int ap_handle_retr(request_rec *r, char *buffer)
{
char *num;
- int i, bytes_sent;
+ int i;
+ apr_size_t bytes_sent;
pop_msg *msg = NULL;
pop_user_rec *ur = (pop_user_rec *)ap_get_module_config(r->request_config,
&pop_module);
@@ -491,10 +503,14 @@
apr_size_t num, size;
pop_user_rec *ur = (pop_user_rec *)ap_get_module_config(r->request_config,
&pop_module);
- APR_RING_FOREACH(msg, &(ur->mbox)->list, pop_msg, link) {
+ /* APR_RING_FOREACH(msg, &(ur->mbox)->list, pop_msg, link) {*/
+ while ( !APR_RING_EMPTY( &(ur->mbox)->list, pop_msg, link )) {
+ msg = APR_RING_FIRST( &(ur->mbox)->list );
+
if (msg->deleted) {
msg->deleted = 0;
}
+ APR_RING_REMOVE( msg, link);
}
ur->high_access = 0;
@@ -555,7 +571,7 @@
int ap_handle_top(request_rec *r, char *buffer)
{
const char *msgnum, *lines;
- int bytes_sent;
+ apr_size_t bytes_sent;
int i;
pop_msg *msg;
apr_off_t off;