httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From minf...@apache.org
Subject svn commit: r814852 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS support/htdbm.c
Date Mon, 14 Sep 2009 21:00:19 GMT
Author: minfrin
Date: Mon Sep 14 21:00:19 2009
New Revision: 814852

URL: http://svn.apache.org/viewvc?rev=814852&view=rev
Log:
Backport from trunk:
htdbm: Fix possible buffer overflow if dbm database has very
long values.
PR: 30586
Submitted by: Dan Poirier

Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/support/htdbm.c

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=814852&r1=814851&r2=814852&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Mon Sep 14 21:00:19 2009
@@ -7,6 +7,9 @@
   *) CVE-2009-3094: mod_proxy_ftp NULL pointer dereference on error paths.
      [Stefan Fritsch <sf fritsch.de>, Joe Orton]
 
+  *) htdbm: Fix possible buffer overflow if dbm database has very
+     long values.  PR 30586 [Dan Poirier]
+
   *) Add support for HTTP PUT to ab. [Jeff Barnes <jbarnesweb yahoo.com>]
 
   *) mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=814852&r1=814851&r2=814852&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Mon Sep 14 21:00:19 2009
@@ -94,14 +94,6 @@
    +1: covener, poirier
    +1: minfrin (with r814779 for compiler warning fix)
 
- * htdbm: Avoid buffer overflows.
-   PR: 30586
-   Trunk patches: http://svn.apache.org/viewvc?view=rev&revision=797563
-                  http://svn.apache.org/viewvc?view=rev&revision=814781
-                  http://svn.apache.org/viewvc?view=rev&revision=814792
-   2.2.x patch: http://people.apache.org/~poirier/patch3-2.2.x-PR30586.txt
-   +1: poirier, minfrin, rpluem
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 

Modified: httpd/httpd/branches/2.2.x/support/htdbm.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/support/htdbm.c?rev=814852&r1=814851&r2=814852&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/support/htdbm.c (original)
+++ httpd/httpd/branches/2.2.x/support/htdbm.c Mon Sep 14 21:00:19 2009
@@ -219,7 +219,7 @@
 static apr_status_t htdbm_verify(htdbm_t *htdbm)
 {
     apr_datum_t key, val;
-    char pwd[MAX_STRING_LEN] = {0};
+    char *pwd;
     char *rec, *cmnt;
 
     key.dptr = htdbm->username;
@@ -231,9 +231,9 @@
     rec = apr_pstrndup(htdbm->pool, val.dptr, val.dsize);
     cmnt = strchr(rec, ':');
     if (cmnt)
-        strncpy(pwd, rec, cmnt - rec);
+        pwd = apr_pstrndup(htdbm->pool, rec, cmnt - rec);
     else
-        strcpy(pwd, rec);
+        pwd = apr_pstrdup(htdbm->pool, rec);
     return apr_password_validate(htdbm->userpass, pwd);
 }
 
@@ -241,8 +241,7 @@
 {
     apr_status_t rv;
     apr_datum_t key, val;
-    char *rec, *cmnt;
-    char kb[MAX_STRING_LEN];
+    char *cmnt;
     int i = 0;
 
     rv = apr_dbm_firstkey(htdbm->dbm, &key);
@@ -250,24 +249,19 @@
         fprintf(stderr, "Empty database -- %s\n", htdbm->filename);
         return APR_ENOENT;
     }
-    rec = apr_pcalloc(htdbm->pool, HUGE_STRING_LEN);
-
     fprintf(stderr, "Dumping records from database -- %s\n", htdbm->filename);
-    fprintf(stderr, "    %-32sComment\n", "Username");
+    fprintf(stderr, "    %-32s Comment\n", "Username");
     while (key.dptr != NULL) {
         rv = apr_dbm_fetch(htdbm->dbm, key, &val);
         if (rv != APR_SUCCESS) {
             fprintf(stderr, "Failed getting data from %s\n", htdbm->filename);
             return APR_EGENERAL;
         }
-        strncpy(kb, key.dptr, key.dsize);
-        kb[key.dsize] = '\0';
-        fprintf(stderr, "    %-32s", kb);
-        strncpy(rec, val.dptr, val.dsize);
-        rec[val.dsize] = '\0';
-        cmnt = strchr(rec, ':');
+        /* Note: we don't store \0-terminators on our dbm data */
+        fprintf(stderr, "    %-32.*s", (int)key.dsize, key.dptr);
+        cmnt = memchr(val.dptr, ':', val.dsize);
         if (cmnt)
-            fprintf(stderr, "%s", cmnt + 1);
+            fprintf(stderr, " %.*s", (int)(val.dptr+val.dsize - (cmnt+1)), cmnt + 1);
         fprintf(stderr, "\n");
         rv = apr_dbm_nextkey(htdbm->dbm, &key);
         if (rv != APR_SUCCESS)



Mime
View raw message