Return-Path: <apache-cvs-owner-apache-cvs-archive=hyperreal.org@apache.org>
Delivered-To: apache-cvs-archive@hyperreal.org
Received: (qmail 26391 invoked by uid 6000); 5 Jan 1998 20:56:30 -0000
Received: (qmail 26384 invoked by uid 149); 5 Jan 1998 20:56:29 -0000
Date: 5 Jan 1998 20:56:29 -0000
Message-ID: <19980105205629.26383.qmail@hyperreal.org>
From: marc@hyperreal.org
To: apache-cvs@hyperreal.org
Subject: cvs commit: apache/src util.c
Sender: apache-cvs-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

marc        98/01/05 12:56:29

  Modified:    src      Tag: APACHE_1_2_X util.c
  Log:
  Eliminate (content sensitive) buffer overflow in cfg_getline.  I
  have tested it and this hole is exploitable.
  
  Reviewed by:	Martin Kraemer, Mark J Cox, Dean Gaudet, Randy Terbush
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.52.2.4  +6 -1      apache/src/util.c
  
  Index: util.c
  ===================================================================
  RCS file: /export/home/cvs/apache/src/util.c,v
  retrieving revision 1.52.2.3
  retrieving revision 1.52.2.4
  diff -u -r1.52.2.3 -r1.52.2.4
  --- util.c	1997/12/30 18:59:32	1.52.2.3
  +++ util.c	1998/01/05 20:56:28	1.52.2.4
  @@ -569,6 +569,11 @@
       if(c == EOF)
   	return 1;
   
  +    if(n < 2) {
  +	/* too small, assume caller is crazy */
  +	return 1;
  +    }
  +
       while(1) {
           if((c == '\t') || (c == ' ')) {
               s[i++] = ' ';
  @@ -578,7 +583,7 @@
           if(c == CR) {
               c = getc(f);
           }
  -        if(c == EOF || c == 0x4 || c == LF || i == (n-1)) {
  +        if(c == EOF || c == 0x4 || c == LF || i >= (n-2)) {
               /* blast trailing whitespace */
               while(i && (s[i-1] == ' ')) --i;
               s[i] = '\0';