apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: Buffer overflow in apr_brigade_vprintf() ?
Date Fri, 24 Apr 2009 21:01:45 GMT


On 04/24/2009 10:10 PM, C. Michael Pilato wrote:

> 
>     /* tack on null terminator to remaining string */
>     *(vd.vbuff.curpos) = '\0';
> 
> Uh-oh.  Buffer overflow!
> 
> Our CollabNet engineer is proposing a simple fix:  defining 'buf' inside
> apr_brigade_vprintf() like so:
> 
>     char buf[APR_BUCKET_BUFF_SIZE + 1]
> 
> (Note the "+ 1" to make room for that pesky NULL byte.)
> 
> But I'm wondering if an equally correct fix would be to simply not tack the
> '\0' onto the buffer at all.  Doesn't apr_brigade_write() accept both the
> buffer and the number of bytes to write?  Does it really need a
> null-terminated string, especially considering that its input could be
> arbitrary binary data?  Other calls to it pass things like "str" and
> "strlen(str)", which would ignore the NULL byte in "str".
> 
> [1]
> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&viewType=browseAll&dsMessageId=1745697
> 

Fixed in r768417 (http://svn.apache.org/viewvc?view=rev&revision=768417).

Regards

RĂ¼diger

Mime
View raw message