httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mar...@hyperreal.org
Subject cvs commit: apache-1.3/src/modules/proxy proxy_ftp.c
Date Wed, 27 May 1998 15:29:31 GMT
martin      98/05/27 08:29:30

  Modified:    src      CHANGES
               src/modules/proxy proxy_ftp.c
  Log:
  [SECURITY] A possible buffer overflow in the ftp proxy code was fixed.
  (Large FTP responses could overflow a buffer)
  
  Revision  Changes    Path
  1.865     +3 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.864
  retrieving revision 1.865
  diff -u -u -r1.864 -r1.865
  --- CHANGES	1998/05/27 14:57:36	1.864
  +++ CHANGES	1998/05/27 15:29:28	1.865
  @@ -1,5 +1,8 @@
   Changes with Apache 1.3b8
   
  +  *) [SECURITY] A possible buffer overflow in the ftp proxy was fixed.
  +     [Martin Kraemer]
  +
     *) Transform the configure message "You need root priviledges for suEXEC"
        from a fatal error into a (more friendly) warning because the building
        ("make") of Apache we can allow, of course. Root priviledges are needed
  
  
  
  1.59      +9 -9      apache-1.3/src/modules/proxy/proxy_ftp.c
  
  Index: proxy_ftp.c
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/modules/proxy/proxy_ftp.c,v
  retrieving revision 1.58
  retrieving revision 1.59
  diff -u -u -r1.58 -r1.59
  --- proxy_ftp.c	1998/05/21 03:37:47	1.58
  +++ proxy_ftp.c	1998/05/27 15:29:30	1.59
  @@ -190,7 +190,7 @@
       int len, status;
       char linebuff[100], buff[5];
   
  -    len = ap_bgets(linebuff, 100, f);
  +    len = ap_bgets(linebuff, sizeof linebuff, f);
       if (len == -1)
   	return -1;
   /* check format */
  @@ -209,7 +209,7 @@
   	memcpy(buff, linebuff, 3);
   	buff[3] = ' ';
   	do {
  -	    len = ap_bgets(linebuff, 100, f);
  +	    len = ap_bgets(linebuff, sizeof linebuff, f);
   	    if (len == -1)
   		return -1;
   	    if (linebuff[len - 1] != '\n') {
  @@ -229,10 +229,10 @@
   {
       int len, status;
       char linebuff[100], buff[5];
  -    char *mb = msgbuf;
  -    int ml = msglen;
  +    char *mb = msgbuf,
  +	 *me = &msgbuf[msglen];
   
  -    len = ap_bgets(linebuff, 100, f);
  +    len = ap_bgets(linebuff, sizeof linebuff, f);
       if (len == -1)
   	return -1;
       if (len < 5 || !isdigit(linebuff[0]) || !isdigit(linebuff[1]) ||
  @@ -241,7 +241,7 @@
       else
   	status = 100 * linebuff[0] + 10 * linebuff[1] + linebuff[2] - 111 * '0';
   
  -    mb = ap_cpystrn(mb, linebuff+4, len-4 < ml ? len-4 : ml);
  +    mb = ap_cpystrn(mb, linebuff+4, me - mb);
   
       if (linebuff[len - 1] != '\n')
   	(void)ap_bskiplf(f);
  @@ -250,13 +250,13 @@
   	memcpy(buff, linebuff, 3);
   	buff[3] = ' ';
   	do {
  -	    len = ap_bgets(linebuff, 100, f);
  +	    len = ap_bgets(linebuff, sizeof linebuff, f);
   	    if (len == -1)
   		return -1;
   	    if (linebuff[len - 1] != '\n') {
   		(void)ap_bskiplf(f);
   	    }
  -            mb = ap_cpystrn(mb, linebuff+4, len-4 < ml ? len-4 : ml);
  +	    mb = ap_cpystrn(mb, linebuff+4, me - mb);
   	} while (memcmp(linebuff, buff, 4) != 0);
       }
       return status;
  @@ -352,7 +352,7 @@
   	hostlen = 0;
   
       while (!con->aborted) {
  -	n = ap_bgets(buf, IOBUFSIZE, f);
  +	n = ap_bgets(buf, sizeof buf, f);
   	if (n == -1) {		/* input error */
   	    if (f2 != NULL)
   		f2 = ap_proxy_cache_error(c);
  
  
  

Mime
View raw message