You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Edward Rudd <ed...@omegaware.com> on 2004/01/04 03:31:32 UTC
httpd-pop3 buffer overflow bug
I have found a major buffer overflow bug... I found this while working on
my ftp module for apache 2.0.. <http://outoforder.cc/projects/apache/>
which was initially based off of the structure of httpd-pop3.
the issue is ap_getword_white_nc moves the pointer in buffer up by the
number of characters that were extracted and copied in the the allocated
return value (on line 135, command). after a number of iterations through
the main while(1) loop, buffer gets continually incremented well beyond
the initial 255 characters that were originally allocated to it, and
starts overwriting other elements allocated afterward by r->pool.
This is my solution to fixing the problem..
Here is the patch..
--- pop_protocol.c.bak Tue Nov 4 15:08:10 2003
+++ pop_protocol.c Sat Jan 3 20:27:35 2004
@@ -110,7 +110,8 @@
int process_pop_connection_internal(request_rec *r, apr_bucket_brigade *bb)
{
- char *buffer = apr_palloc(r->pool, POP_STRING_LENGTH);
+ char command_buffer[POP_STRING_LENGTH];
+ char *buffer;
char *command;
int invalid_cmd = 0;
apr_size_t len;
@@ -124,7 +125,7 @@
while (1) {
int res;
-
+ buffer = command_buffer;
if ((invalid_cmd > MAX_INVALID_CMD) ||
ap_rgetline(&buffer, POP_STRING_LENGTH, &len, r, 0, bb) != APR_SUCCESS)
{