brianp 2002/06/11 18:42:35
Modified: file_io/unix filepath.c
Log:
More conservative buffer overflow checking code for
apr_filepath_merge(): fail immediately if the sum of
the rootpath and addpath lengths is too long, rather
than letting long strings pass through and checking
for overflow at multiple points throughout the merge
code.
Revision Changes Path
1.15 +1 -12 apr/file_io/unix/filepath.c
Index: filepath.c
===================================================================
RCS file: /home/cvs/apr/file_io/unix/filepath.c,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- filepath.c 17 Mar 2002 03:24:15 -0000 1.14
+++ filepath.c 12 Jun 2002 01:42:35 -0000 1.15
@@ -189,10 +189,7 @@
* root, and at end, plus trailing
* null */
if (maxlen > APR_PATH_MAX) {
- if (rootlen >= APR_PATH_MAX) {
- return APR_ENAMETOOLONG;
- }
- maxlen = APR_PATH_MAX;
+ return APR_ENAMETOOLONG;
}
path = (char *)apr_palloc(p, maxlen);
@@ -223,8 +220,6 @@
/* Always '/' terminate the given root path
*/
if (keptlen && path[keptlen - 1] != '/') {
- if (keptlen + 1 >= maxlen)
- return APR_ENAMETOOLONG;
path[keptlen++] = '/';
}
pathlen = keptlen;
@@ -271,9 +266,6 @@
/* Otherwise append another backpath.
*/
- if (pathlen + 3 >= maxlen ) {
- return APR_ENAMETOOLONG;
- }
memcpy(path + pathlen, "../", 3);
pathlen += 3;
}
@@ -303,9 +295,6 @@
*/
if (*next) {
seglen++;
- }
- if (pathlen + seglen >= maxlen) {
- return APR_ENAMETOOLONG;
}
memcpy(path + pathlen, addpath, seglen);
pathlen += seglen;
|