You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Randy Terbush <ra...@covalent.net> on 1997/12/20 23:40:45 UTC
Re: [PATCH] mod_negotiation small bug fix
+1
> The strip_paren_comments() function does the wrong thing when given a line
> with an unterminated "-quoted string. It increments the variable hdr
> twice, passing the \0 terminator.
>
> This doesn't cause a buffer overflow exploit, and but maybe can cause a
> segv.
>
> Dean
>
> Index: modules/standard/mod_negotiation.c
> ===================================================================
> RCS file: /export/home/cvs/apachen/src/modules/standard/mod_negotiation.c,v
> retrieving revision 1.61
> diff -u -r1.61 mod_negotiation.c
> --- mod_negotiation.c 1997/10/22 20:30:26 1.61
> +++ mod_negotiation.c 1997/12/19 09:11:35
> @@ -645,10 +645,11 @@
>
> while (*hdr) {
> if (*hdr == '"') {
> - while (*++hdr && *hdr != '"') {
> - continue;
> - }
> - ++hdr;
> + hdr = strchr(hdr, '"');
> + if (hdr == NULL) {
> + return;
> + }
> + ++hdr;
> }
> else if (*hdr == '(') {
> while (*hdr && *hdr != ')') {
>