You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jeff Trawick <tr...@gmail.com> on 2009/09/14 19:35:45 UTC

Re: svn commit: r797563 - in /httpd/httpd/trunk: CHANGES support/htdbm.c

On Fri, Jul 24, 2009 at 1:15 PM, <po...@apache.org> wrote:

> Author: poirier
> Date: Fri Jul 24 17:15:29 2009
> New Revision: 797563
>
> URL: http://svn.apache.org/viewvc?rev=797563&view=rev
> Log:
> htdbm: Fix possible buffer overflow if dbm database has very
> long values.  PR 30586 [Dan Poirier]
>
> PR 30586
> Reported by: Ulf Harnhammar, Swedish IT Incident Centre
>
> Modified:
>    httpd/httpd/trunk/CHANGES
>    httpd/httpd/trunk/support/htdbm.c
>
> Modified: httpd/httpd/trunk/CHANGES
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=797563&r1=797562&r2=797563&view=diff
>
> ==============================================================================
> --- httpd/httpd/trunk/CHANGES [utf-8] (original)
> +++ httpd/httpd/trunk/CHANGES [utf-8] Fri Jul 24 17:15:29 2009
> @@ -11,6 +11,9 @@
>      mod_proxy_ajp: Avoid delivering content from a previous request which
>      failed to send a request body. PR 46949 [Ruediger Pluem]
>
> +  *) htdbm: Fix possible buffer overflow if dbm database has very
> +     long values.  PR 30586 [Dan Poirier]
>

As noted in 2.2.x/STATUS, htdbm_list() now uses unbounded memory:



> @@ -250,8 +250,6 @@
>         fprintf(stderr, "Empty database -- %s\n", htdbm->filename);
>         return APR_ENOENT;
>     }
> -    rec = apr_pcalloc(htdbm->pool, HUGE_STRING_LEN);
> -
>     fprintf(stderr, "Dumping records from database -- %s\n",
> htdbm->filename);
>     fprintf(stderr, "    %-32sComment\n", "Username");
>     while (key.dptr != NULL) {
> @@ -260,11 +258,9 @@
>             fprintf(stderr, "Failed getting data from %s\n",
> htdbm->filename);
>             return APR_EGENERAL;
>         }
> -        strncpy(kb, key.dptr, key.dsize);
> -        kb[key.dsize] = '\0';
> +        kb = apr_pstrndup(htdbm->pool, key.dptr, key.dsize);
>         fprintf(stderr, "    %-32s", kb);
> -        strncpy(rec, val.dptr, val.dsize);
> -        rec[val.dsize] = '\0';
> +        rec = apr_pstrndup(htdbm->pool, val.dptr, val.dsize);
>         cmnt = strchr(rec, ':');
>         if (cmnt)
>             fprintf(stderr, "%s", cmnt + 1);
>

I suggest solving the first allocation by using %.*s%.*s  (the first string
being the key and the second string being a string of blanks the width of
the field).

I suggest solving the second allocation with memchr and %.*s.