httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Douglass <>
Subject Re: WWW Form Bug Report: "Usr of ".map." in file name causes problems" on HPUX (fwd)
Date Fri, 28 Jun 1996 19:48:13 GMT
On Fri, 28 Jun 1996, Michael Douglass wrote:

> On Fri, 28 Jun 1996, Alexei Kosut wrote:
>>> <code>
>>> <img ismap src="">
>>> </code>
>>> Causes a Segemetation Violation, and the that
>>> daemon core dumps.  Unfortunately I can't
>>> find the core file.
>> This is no doubt due to the fact that you, again, are having the file
>> parsed by the imagemap handler, and it is not expecting a GIF, but a text
>> file with imagemap rules.

Hopefully I'm not too far off field here, but it is definitely the case
and the problem seems very likely to be a buffer overflow.  Of course, this
is just at first glance; but I can see how a binary file in the following
code (where a text file is expected) can cause problems.  Hrm.. Seems
to me that this would be the problem with that:

*** snip ***
  char input[LARGEBUF] = {'\0'};
  char directive[SMALLBUF] = {'\0'};
*** snip ***
    if (sscanf(input, "%s %s", directive, value) != 2) {
      continue;                           /* make sure we read two fields */
*** snip ***

I can think of two easy ways to make sure that the server doesn't core
because of it.  One, make directive and value both LARGEBUF so that they
are never overflowed; or two calculate the sizes of the two items before
doing the sscanf and making sure that they will fit in a SMALLBUF.


    endpoint = strchr( input, ' ' );
    if ( endpoint - input > SMALLBUF ) {

Michael Douglass
Texas Networking, Inc.

  "To be a saint is to be an exception; to be a true man is the rule.
   Err, fail, sin if you must, but be upright.  To sin as little as
   possible is the law for men; to sin not at all is a dream for angels."

              - Victor Hugo, "Les Miserables"

View raw message