You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Randy Terbush <ra...@covalent.net> on 1997/12/20 23:40:45 UTC

Re: [PATCH] mod_negotiation small bug fix

+1

> The strip_paren_comments() function does the wrong thing when given a line
> with an unterminated "-quoted string.  It increments the variable hdr
> twice, passing the \0 terminator.
> 
> This doesn't cause a buffer overflow exploit, and but maybe can cause a
> segv.
> 
> Dean
> 
> Index: modules/standard/mod_negotiation.c
> ===================================================================
> RCS file: /export/home/cvs/apachen/src/modules/standard/mod_negotiation.c,v
> retrieving revision 1.61
> diff -u -r1.61 mod_negotiation.c
> --- mod_negotiation.c	1997/10/22 20:30:26	1.61
> +++ mod_negotiation.c	1997/12/19 09:11:35
> @@ -645,10 +645,11 @@
>  
>      while (*hdr) {
>          if (*hdr == '"') {
> -            while (*++hdr && *hdr != '"') {
> -                continue;
> -            }
> -            ++hdr;
> +	    hdr = strchr(hdr, '"');
> +	    if (hdr == NULL) {
> +		return;
> +	    }
> +	    ++hdr;
>          }
>          else if (*hdr == '(') {
>              while (*hdr && *hdr != ')') {
>