Return-Path: 
 <dev-return-21708-apmail-apr-dev-archive=apr.apache.org@apr.apache.org>
Delivered-To: apmail-apr-dev-archive@www.apache.org
Received: (qmail 56760 invoked from network); 24 Apr 2009 21:02:20 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 24 Apr 2009 21:02:20 -0000
Received: (qmail 9382 invoked by uid 500); 24 Apr 2009 21:02:20 -0000
Delivered-To: apmail-apr-dev-archive@apr.apache.org
Received: (qmail 9293 invoked by uid 500); 24 Apr 2009 21:02:20 -0000
Mailing-List: contact dev-help@apr.apache.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:dev@apr.apache.org>
List-Help: <mailto:dev-help@apr.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@apr.apache.org>
List-Id: <dev.apr.apache.org>
Delivered-To: mailing list dev@apr.apache.org
Received: (qmail 9285 invoked by uid 99); 24 Apr 2009 21:02:20 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 24 Apr 2009 21:02:20 +0000
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=
X-Spam-Check-By: apache.org
Received: from [140.211.11.9] (HELO minotaur.apache.org) (140.211.11.9)
    by apache.org (qpsmtpd/0.29) with SMTP; Fri, 24 Apr 2009 21:02:11 +0000
Received: (qmail 56627 invoked by uid 2161); 24 Apr 2009 21:01:51 -0000
Received: from [192.168.2.4] (euler.heimnetz.de [192.168.2.4])
	by cerberus.heimnetz.de (Postfix on SuSE Linux 7.0 (i386)) with ESMTP
	id DA18A1721C; Fri, 24 Apr 2009 23:01:32 +0200 (CEST)
Message-ID: <49F228B9.7010900@apache.org>
Date: Fri, 24 Apr 2009 23:01:45 +0200
From: Ruediger Pluem <rpluem@apache.org>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
 rv:1.8.1.21) Gecko/20090402 SeaMonkey/1.1.16
MIME-Version: 1.0
To: "C. Michael Pilato" <cmpilato@collab.net>
Cc: dev@apr.apache.org, Subversion Developers <dev@subversion.tigris.org>
Subject: Re: Buffer overflow in apr_brigade_vprintf() ?
References: <49F21CD2.5020105@collab.net>
In-Reply-To: <49F21CD2.5020105@collab.net>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Virus-Checked: Checked by ClamAV on apache.org



On 04/24/2009 10:10 PM, C. Michael Pilato wrote:

> 
>     /* tack on null terminator to remaining string */
>     *(vd.vbuff.curpos) = '\0';
> 
> Uh-oh.  Buffer overflow!
> 
> Our CollabNet engineer is proposing a simple fix:  defining 'buf' inside
> apr_brigade_vprintf() like so:
> 
>     char buf[APR_BUCKET_BUFF_SIZE + 1]
> 
> (Note the "+ 1" to make room for that pesky NULL byte.)
> 
> But I'm wondering if an equally correct fix would be to simply not tack the
> '\0' onto the buffer at all.  Doesn't apr_brigade_write() accept both the
> buffer and the number of bytes to write?  Does it really need a
> null-terminated string, especially considering that its input could be
> arbitrary binary data?  Other calls to it pass things like "str" and
> "strlen(str)", which would ignore the NULL byte in "str".
> 
> [1]
> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&viewType=browseAll&dsMessageId=1745697
> 

Fixed in r768417 (http://svn.apache.org/viewvc?view=rev&revision=768417).

Regards

R�diger