apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mladen Turk <mt...@apache.org>
Subject [WIN32] utf8_to_unicode_path conversion errors
Date Thu, 10 Sep 2009 19:02:52 GMT
Hi,

I suppose Bill will give some more insight into this
cause it's only win related.

I came into edge case where utf8_to_unicode_path fails
for apr_stat on NT pipes.
NT pipes have maximum name length of 256 chars, and
utf8_to_unicode_path starts mangling paths longer
then 248 chars.

code from file_io/win32/open.c :
if (srcremains > 248) {
  ...
  else if ((srcstr[0] == '/' || srcstr[0] == '\\')
           && (srcstr[1] == '/' || srcstr[1] == '\\')
           && (srcstr[2] != '?')) {
  ...
  wcscpy (retstr, L"\\\\?\\UNC\\");


Now this will for pipe names that always start
with '\\.\pipe\' or  '\\server\pipe\' and are longer
then 248 chars produce something like
\\?\UNC\.\pipe\... leading to ERROR_PATH_NOT_FOUND.
Further more GetFileAttributesW in apr_stat blocks for 30+
seconds leading to potential DoS attack.

The solution is to add "&& (srcstr[2] != '.')" to the
upper check, but dunno if that would break something else

Comments?

Regards
-- 
^TM


Mime
View raw message