httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@organic.com>
Subject Re: WWW Form Bug Report: "Usr of ".map." in file name causes problems" on HPUX (fwd)
Date Fri, 28 Jun 1996 22:27:56 GMT

While I think in this situation it might be better to make sure that the
included file can actually be included (i.e., text/*,
application/x-httpd-cgi or whatever) I think a fix like the below would be
appropriate as well.  We should at least try and prevent cores no matter
what garbage the server is pointed at.

	Brian

On Fri, 28 Jun 1996, Michael Douglass wrote:
> On Fri, 28 Jun 1996, Michael Douglass wrote:
> 
> > On Fri, 28 Jun 1996, Alexei Kosut wrote:
> >
> >>> <code>
> >>> <img ismap src="blah.map.gif">
> >>> </code>
> >>>
> >>> Causes a Segemetation Violation, and the that
> >>> daemon core dumps.  Unfortunately I can't
> >>> find the core file.
> >>
> >> This is no doubt due to the fact that you, again, are having the file
> >> parsed by the imagemap handler, and it is not expecting a GIF, but a text
> >> file with imagemap rules.
> 
> Hopefully I'm not too far off field here, but it is definitely the case
> and the problem seems very likely to be a buffer overflow.  Of course, this
> is just at first glance; but I can see how a binary file in the following
> code (where a text file is expected) can cause problems.  Hrm.. Seems
> to me that this would be the problem with that:
> 
> *** snip ***
>   char input[LARGEBUF] = {'\0'};
>   char directive[SMALLBUF] = {'\0'};
> *** snip ***
>     if (sscanf(input, "%s %s", directive, value) != 2) {
>       continue;                           /* make sure we read two fields */
>     }
> *** snip ***
> 
> I can think of two easy ways to make sure that the server doesn't core
> because of it.  One, make directive and value both LARGEBUF so that they
> are never overflowed; or two calculate the sizes of the two items before
> doing the sscanf and making sure that they will fit in a SMALLBUF.
> 
> ie.
> 
>     endpoint = strchr( input, ' ' );
>     if ( endpoint - input > SMALLBUF ) {
>         RETURN ERROR STATEMENT ABOUT MAP FILE BEING INVALID AND EXIT
>     }
> 
> Michael Douglass
> Texas Networking, Inc.
> 
>   "To be a saint is to be an exception; to be a true man is the rule.
>    Err, fail, sin if you must, but be upright.  To sin as little as
>    possible is the law for men; to sin not at all is a dream for angels."
> 
>               - Victor Hugo, "Les Miserables"
> 
> 
> 

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  www.apache.org  hyperreal.com  http://www.organic.com/JOBS


Mime
View raw message