httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: big patch for buffer overflow fixes
Date Wed, 01 Jan 1997 18:37:47 GMT
> > > Here is a patch for all the buffer overflow and potential buffer overflows
> > > in apache that I noticed in my run through the source.  First, a few Q&A
> > > that I asked myself. 
> > 
> > Few of these changes seem to apply to anything but the error code.
> > 
> > Based on that, I don't have a big problem with adding them. A few 
> > comments though.
> > 
> > * Ben added the vbprintf() code awhile back. Seems like a fair chunk
> >   of that code could be used to supply an snprintf() that could be
> >   used more effectively to keep these sorts of problems from creeping
> >   back in.
> > 
> > * IF we decide to include these changes, seems that it would be nice
> >   to get them in a fair bit _before_ the proposed changes that Ben
> >   will be making to the API just to make it a bit easier to pin down
> >   problem causers if there are any.
> > 
> Xinetd also has strx_nprint() and strx_nprintv() functions to do this. I
> sent mail to Mark about these, if they'd be of help.
> 
> It's a tough job, and I'm glad Mark's doing it.
> 
> chuck

If I didn't make that point in my earlier mail, I agree. Thanks for
grabbing this Marc. Since Marc seems to be taking on some of these
security issues, I would really appreciate his comments regarding the
suexec stuff as well.




Mime
View raw message