httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject big patch for buffer overflow fixes
Date Wed, 01 Jan 1997 08:47:58 GMT
Here is a patch for all the buffer overflow and potential buffer overflows
in apache that I noticed in my run through the source.  First, a few Q&A
that I asked myself. 

Q: are you a demented freak?  Why do you need to be sure that <x> doesn't
   overflow, it is just a strcpy() from a macro.  If someone is stupid
   enough to define that as something that is too long, that's their
   problem.
A: Yes.  However, just because today there is no chance in hell of
   something being a problem doesn't mean it won't be modified in the
   future to be dynamically configurable without fixing it up so there
   can be no overflows.  Strings in C suck because they don't exist,
   so being paranoid isn't a bad thing.

Q: Your patches are ugly.  Very ugly.  Ugly.  Did I mention I think
   they are ugly?  All these hardcoded numbers pulled from thin air.  Why?
A: Yes, it is ugly.  If I had a snprintf(), I would gladly use it.  I
   was almost tempted to put together one to bundle with apache.
   Some of the patches are ugly, but in the name of portability
   there isn't much choice at times.  If you have a better way of
   doing something, please bring it up.  The most time was spent
   finding the problems, so all that matters is that some fix is
   applied.

Q: But the length of <x> is already checked by <y> three subroutines
   above <z> so it doesn't have to be limited at <z>.  You are making
   apache slow.
A: Things are not always as they appear.  Better safe than sorry.  And
   you are probably right.  

Q: But { port number, etc. } can only be { 16 bits, etc. } long, so
   you shouldn't need more than { 5, etc. } bytes to store it as a
   string.
A: Sure, but I'm not willing to bet that all the input routines know
   that.

Q: These patches are awfully long to put in right before a release.
   What happens when they break something in the release?
A: I agree.  _PLEASE_ go through these patches closely, paying special
   attention to any code you have more-than-usual involvement with to
   be sure nothing is screwed up.  If anything even faintly hints of
   being wrong, say so.

Q: Couldn't these wait until after 1.2?
A: Most of them could, since most of them can either not be exploited
   right now or simply can not be a problem at all with the way things
   are. Problem is, it can be quite complicated finding out which
   ones are currently exploitable.  There are around half a dozen
   places where people can cause apache to travel a significant
   amount beyond the end of an array and fill the memory with
   arbitrary data.


Index: http_config.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/http_config.c,v
retrieving revision 1.38
diff -u -r1.38 http_config.c
--- http_config.c	1996/12/24 19:43:48	1.38
+++ http_config.c	1996/12/31 01:06:45
@@ -236,7 +236,7 @@
     for(n=0 ; aMethods[n].offset >= 0 ; ++n)
 	if(aMethods[n].offset == offset)
 	    break;
-    sprintf(buf,"%s:%s",modp->name,aMethods[n].method);
+    sprintf(buf,"%.99s:%.99s",modp->name,aMethods[n].method);
     return buf;
     }
 #else
Index: http_core.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/http_core.c,v
retrieving revision 1.54
diff -u -r1.54 http_core.c
--- http_core.c	1996/12/28 00:04:49	1.54
+++ http_core.c	1996/12/31 01:23:20
@@ -879,7 +879,8 @@
 
 const char *set_server_root (cmd_parms *cmd, void *dummy, char *arg) {
     if (!is_directory (arg)) return "ServerRoot must be a valid directory";
-    strcpy (server_root, arg);
+    strncpy (server_root, arg, sizeof(server_root)-1);
+    server_root[sizeof(server_root)-1] = '\0';
     return NULL;
 }
 
Index: http_main.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/http_main.c,v
retrieving revision 1.99
diff -u -r1.99 http_main.c
--- http_main.c	1996/12/28 00:09:10	1.99
+++ http_main.c	1997/01/01 07:45:08
@@ -410,11 +410,11 @@
     if (timeout_req != NULL) dirconf = timeout_req->per_dir_config;
     else dirconf = current_conn->server->lookup_defaults;
     if (sig == SIGPIPE) {
-        sprintf(errstr,"%s lost connection to client %s",
+        sprintf(errstr,"%.400s lost connection to client %.400s",
 	    timeout_name ? timeout_name : "request",
 	    get_remote_host(current_conn, dirconf, REMOTE_NAME));
     } else {
-        sprintf(errstr,"%s timed out for %s",
+        sprintf(errstr,"%.400s timed out for %.400s",
 	    timeout_name ? timeout_name : "request",
 	    get_remote_host(current_conn, dirconf, REMOTE_NAME));
     }
@@ -536,7 +536,6 @@
     caddr_t m;
 
 #ifdef __EMX__
-    char errstr[MAX_STRING_LEN];
     int rc;
 
     m = (caddr_t)create_shared_heap("\\SHAREMEM\\SCOREBOARD", HARD_SERVER_LIMIT*sizeof(short_score));
@@ -773,7 +772,6 @@
 #ifdef __EMX__
 #ifdef HAVE_MMAP
     caddr_t m;
-    char errstr[MAX_STRING_LEN];
     int rc;
 
     m = (caddr_t)get_shared_heap("\\SHAREMEM\\SCOREBOARD");
@@ -2017,16 +2015,20 @@
     ptrans = make_sub_pool(pconf);
     
     server_argv0 = argv[0];
-    strcpy (server_root, HTTPD_ROOT);
-    strcpy (server_confname, SERVER_CONFIG_FILE);
+    strncpy (server_root, HTTPD_ROOT, sizeof(server_root)-1);
+    server_root[sizeof(server_root)-1] = '\0';
+    strncpy (server_confname, SERVER_CONFIG_FILE, sizeof(server_root)-1);
+    server_confname[sizeof(server_confname)-1] = '\0';
 
     while((c = getopt(argc,argv,"Xd:f:vhl")) != -1) {
         switch(c) {
           case 'd':
-            strcpy (server_root, optarg);
+            strncpy (server_root, optarg, sizeof(server_root)-1);
+            server_root[sizeof(server_root)-1] = '\0';
             break;
           case 'f':
-            strcpy (server_confname, optarg);
+            strncpy (server_confname, optarg, sizeof(server_confname)-1);
+            server_confname[sizeof(server_confname)-1] = '\0';
             break;
           case 'v':
             printf("Server version %s.\n",SERVER_VERSION);
Index: http_protocol.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/http_protocol.c,v
retrieving revision 1.85
diff -u -r1.85 http_protocol.c
--- http_protocol.c	1996/12/28 00:04:51	1.85
+++ http_protocol.c	1997/01/01 02:33:55
@@ -225,7 +225,7 @@
 	 * that sets the output to chunked encoding if it is not already
 	 * length-delimited.  It is not a bug, though it is annoying.
 	 */
-	char header[26];
+	char header[MAX_STRING_LEN];
 	int left = r->server->keep_alive - r->connection->keepalives;
 	
 	r->connection->keepalive = 1;
@@ -749,7 +749,7 @@
 
 void note_digest_auth_failure(request_rec *r)
 {
-    char nonce[10];
+    char nonce[256];
 
     sprintf(nonce, "%lu", r->request_time);
     table_set (r->err_headers_out, "WWW-Authenticate",
Index: http_request.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/http_request.c,v
retrieving revision 1.33
diff -u -r1.33 http_request.c
--- http_request.c	1996/12/24 18:06:16	1.33
+++ http_request.c	1996/12/31 06:11:11
@@ -961,7 +961,7 @@
 request_rec *internal_internal_redirect (const char *new_uri, request_rec *r)
 {
     request_rec *new = (request_rec *)pcalloc(r->pool, sizeof(request_rec));
-    char t[10];			/* Long enough... */
+    char t[256];			/* Long enough... */
   
     new->connection = r->connection;
     new->server = r->server;
Index: httpd.h
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/httpd.h,v
retrieving revision 1.75
diff -u -r1.75 httpd.h
--- httpd.h	1996/12/24 21:48:27	1.75
+++ httpd.h	1997/01/01 02:12:06
@@ -177,6 +177,7 @@
 #endif
 
 /* The default string lengths */
+/* Can not be decreased without modifying hard-coded buffer overflow checks */
 #define MAX_STRING_LEN HUGE_STRING_LEN
 #define HUGE_STRING_LEN 8192
 
Index: mod_auth.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_auth.c,v
retrieving revision 1.10
diff -u -r1.10 mod_auth.c
--- mod_auth.c	1996/12/24 19:10:29	1.10
+++ mod_auth.c	1996/12/31 06:28:23
@@ -198,14 +198,14 @@
     if (!(real_pw = get_pw(r, c->user, sec->auth_pwfile))) {
 	if (!(sec->auth_authoritative))
 	    return DECLINED;
-        sprintf(errstr,"user %s not found",c->user);
+        sprintf(errstr,"user %.500s not found",c->user);
 	log_reason (errstr, r->uri, r);
 	note_basic_auth_failure (r);
 	return AUTH_REQUIRED;
     }
     /* anyone know where the prototype for crypt is? */
     if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) {
-        sprintf(errstr,"user %s: password mismatch",c->user);
+        sprintf(errstr,"user %.500s: password mismatch",c->user);
 	log_reason (errstr, r->uri, r);
 	note_basic_auth_failure (r);
 	return AUTH_REQUIRED;
Index: mod_auth_anon.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_auth_anon.c,v
retrieving revision 1.11
diff -u -r1.11 mod_auth_anon.c
--- mod_auth_anon.c	1996/12/01 20:28:48	1.11
+++ mod_auth_anon.c	1996/12/31 06:31:04
@@ -239,14 +239,14 @@
 	  ) 
 	) {
       if (sec->auth_anon_logemail) {
-	sprintf(errstr,"Anonymous: Passwd <%s> Accepted", 
+	sprintf(errstr,"Anonymous: Passwd <%.500s> Accepted", 
 			send_pw ? send_pw : "\'none\'");
 	log_error (errstr, r->server );
       }
       return OK;
     } else {
         if (sec->auth_anon_authoritative) {
-	sprintf(errstr,"Anonymous: Authoritative, Passwd <%s> not accepted",
+	sprintf(errstr,"Anonymous: Authoritative, Passwd <%.500s> not accepted",
 		send_pw ? send_pw : "\'none\'");
 	log_error(errstr,r->server);
 	return AUTH_REQUIRED;
Index: mod_auth_db.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_auth_db.c,v
retrieving revision 1.8
diff -u -r1.8 mod_auth_db.c
--- mod_auth_db.c	1996/12/24 20:55:26	1.8
+++ mod_auth_db.c	1996/12/31 06:34:03
@@ -201,7 +201,7 @@
     if(!(real_pw = get_db_pw(r, c->user, sec->auth_dbpwfile))) {
 	if (!(sec -> auth_dbauthoritative))
 	    return DECLINED; 
-        sprintf(errstr,"DB user %s not found", c->user);
+        sprintf(errstr,"DB user %.500s not found", c->user);
 	log_reason (errstr, r->filename, r);
 	note_basic_auth_failure (r);
 	return AUTH_REQUIRED;
@@ -211,7 +211,7 @@
     if (colon_pw) *colon_pw='\0';   
     /* anyone know where the prototype for crypt is? */
     if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) {
-        sprintf(errstr,"user %s: password mismatch",c->user);
+        sprintf(errstr,"user %.500s: password mismatch",c->user);
 	log_reason (errstr, r->uri, r);
 	note_basic_auth_failure (r);
 	return AUTH_REQUIRED;
@@ -253,7 +253,7 @@
            if (!(groups = get_db_grp(r, user, sec->auth_dbgrpfile))) {
 	       if (!(sec->auth_dbauthoritative))
 		 return DECLINED;
-               sprintf(errstr,"user %s not in DB group file %s",
+               sprintf(errstr,"user %.500s not in DB group file %s",
 		       user, sec->auth_dbgrpfile);
 	       log_reason (errstr, r->filename, r);
 	       note_basic_auth_failure (r);
@@ -269,7 +269,7 @@
                        return OK;
                }
            }
-           sprintf(errstr,"user %s not in right group",user);
+           sprintf(errstr,"user %.500s not in right group",user);
 	   log_reason (errstr, r->filename, r);
            note_basic_auth_failure(r);
 	   return AUTH_REQUIRED;
Index: mod_auth_dbm.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_auth_dbm.c,v
retrieving revision 1.11
diff -u -r1.11 mod_auth_dbm.c
--- mod_auth_dbm.c	1996/12/24 19:10:30	1.11
+++ mod_auth_dbm.c	1996/12/31 06:36:02
@@ -189,7 +189,7 @@
     if(!(real_pw = get_dbm_pw(r, c->user, sec->auth_dbmpwfile))) {
 	if (!(sec->auth_dbmauthoritative))
 	    return DECLINED;
-        sprintf(errstr,"DBM user %s not found", c->user);
+        sprintf(errstr,"DBM user %.500s not found", c->user);
 	log_reason (errstr, r->filename, r);
 	note_basic_auth_failure (r);
 	return AUTH_REQUIRED;
@@ -199,7 +199,7 @@
     if (colon_pw) *colon_pw='\0';   
     /* anyone know where the prototype for crypt is? */
     if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) {
-        sprintf(errstr,"user %s: password mismatch",c->user);
+        sprintf(errstr,"user %.500s: password mismatch",c->user);
 	log_reason (errstr, r->uri, r);
 	note_basic_auth_failure (r);
 	return AUTH_REQUIRED;
@@ -241,7 +241,7 @@
            if (!(groups = get_dbm_grp(r, user, sec->auth_dbmgrpfile))) {
 	       if (!(sec->auth_dbmauthoritative))
 	           return DECLINED;
-               sprintf(errstr,"user %s not in DBM group file %s",
+               sprintf(errstr,"user %.500s not in DBM group file %.500s",
 		       user, sec->auth_dbmgrpfile);
 	       log_reason (errstr, r->filename, r);
 	       note_basic_auth_failure (r);
@@ -257,7 +257,7 @@
                        return OK;
                }
            }
-           sprintf(errstr,"user %s not in right group",user);
+           sprintf(errstr,"user %.500s not in right group",user);
 	   log_reason (errstr, r->filename, r);
            note_basic_auth_failure(r);
 	   return AUTH_REQUIRED;
Index: mod_auth_msql.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_auth_msql.c,v
retrieving revision 1.16
diff -u -r1.16 mod_auth_msql.c
--- mod_auth_msql.c	1996/12/24 21:00:52	1.16
+++ mod_auth_msql.c	1997/01/01 07:33:40
@@ -560,7 +560,7 @@
 
       /* does this fit ? */
       if (j >= (MAX_FIELD_LEN-1)) {
-	sprintf(msql_errstr,"Could not escape '%s', longer than %d",in,MAX_FIELD_LEN);
+	sprintf(msql_errstr,"Could not escape '%.500s', longer than %d",in,MAX_FIELD_LEN);
 	return NULL;
 	};
 
@@ -602,7 +602,7 @@
 	 */
     	if (sock==-1) if ((sock=msqlConnect(host)) == -1) {
 		sprintf (msql_errstr,
-			"mSQL: Could not connect to Msql DB %s (%s)",
+			"mSQL: Could not connect to Msql DB %.500s (%.500s)",
 			(sec->auth_msql_host ? sec->auth_msql_host : "\'unset, assuming localhost!\'"),
 			msqlErrMsg);
 		return NULL;
@@ -612,7 +612,7 @@
 	 * and is quite cheap anyway
 	 */
     	if (msqlSelectDB(sock,sec->auth_msql_database) == -1 ) {
-		sprintf (msql_errstr,"mSQL: Could not select Msql Table \'%s\' on host \'%s\'(%s)",
+		sprintf (msql_errstr,"mSQL: Could not select Msql Table \'%.500s\' on host \'%.500s\'(%.500s)",
 			(sec->auth_msql_database ? sec->auth_msql_database : "\'unset!\'"),
 		        (sec->auth_msql_host ? sec->auth_msql_host : "\'unset, assuming localhost!\'"),
 			msqlErrMsg);
@@ -622,7 +622,7 @@
 		}
 
     	if (msqlQuery(sock,query) == -1 ) {
-		sprintf (msql_errstr,"mSQL: Could not Query database '%s' on host '%s' (%s) with query [%s]",
+		sprintf (msql_errstr,"mSQL: Could not Query database '%.500s' on host '%.500s' (%.500s) with query [%.500s]",
 			(sec->auth_msql_database ? sec->auth_msql_database : "\'unset!\'"),
 		        (sec->auth_msql_host ? sec->auth_msql_host : "\'unset, assuming localhost!\'"),
 		        msqlErrMsg,
@@ -633,7 +633,7 @@
 		}
 
 	if (!(results=msqlStoreResult())) {
-		sprintf (msql_errstr,"mSQL: Could not get the results from mSQL database \'%s\' on \'%s\' (%s) with query [%s]",
+		sprintf (msql_errstr,"mSQL: Could not get the results from mSQL database \'%.500s\' on \'%.500s\' (%.500s) with query [%.500s]",
 			(sec->auth_msql_database ? sec->auth_msql_database : "\'unset!\'"),
 		        (sec->auth_msql_host ? sec->auth_msql_host : "\'unset, assuming localhost!\'"),
 			msqlErrMsg,
@@ -649,7 +649,7 @@
           /* complain if there are to many
            * matches.
            */
-          sprintf (msql_errstr,"mSQL: More than %d matches (%d) whith query [%s]",
+          sprintf (msql_errstr,"mSQL: More than %d matches (%d) whith query [%.500s]",
           	   once,hit,( query ? query : "\'unset!\'") );
 	} else
 	/* if we have a it, try to get it
@@ -658,7 +658,7 @@
 		if ( (currow=msqlFetchRow(results)) != NULL) {
 			/* copy the first matching field value */
 			if (!(result=palloc(r->pool,strlen(currow[0])+1))) {
-				sprintf (msql_errstr,"mSQL: Could not get memory for mSQL %s (%s) with [%s]",
+				sprintf (msql_errstr,"mSQL: Could not get memory for mSQL %.500s (%.500s) with [%.500s]",
 					(sec->auth_msql_database ? sec->auth_msql_database : "\'unset!\'"),
 					msqlErrMsg,
 					( query ? query : "\'unset!\'") );
@@ -706,7 +706,7 @@
 
     	if (!(msql_escape(esc_user, user, msql_errstr))) {
 		sprintf(msql_errstr,
-			"mSQL: Could not cope/escape the '%s' user_id value; ",user);
+			"mSQL: Could not cope/escape the '%.500s' user_id value; ",user);
 		return NULL;
     	};
     	sprintf(query,"select %s from %s where %s='%s'",
@@ -742,13 +742,13 @@
 
     	if (!(msql_escape(esc_user, user,msql_errstr))) {
 		sprintf(msql_errstr,
-			"mSQL: Could not cope/escape the '%s' user_id value",user);
+			"mSQL: Could not cope/escape the '%.500s' user_id value",user);
 
 		return NULL;
     	};
     	if (!(msql_escape(esc_group, group,msql_errstr))) {
 		sprintf(msql_errstr,
-			"mSQL: Could not cope/escape the '%s' group_id value",group);
+			"mSQL: Could not cope/escape the '%.500s' group_id value",group);
 
 		return NULL;
     	};
@@ -795,7 +795,7 @@
 		if (sec->auth_msql_authoritative) {
           	   /* insist that the user is in the database
           	    */
-          	   sprintf(msql_errstr,"mSQL: Password for user %s not found", c->user);
+          	   sprintf(msql_errstr,"mSQL: Password for user %.500s not found", c->user);
 		   note_basic_auth_failure (r);
 		   res = AUTH_REQUIRED;
 		   } else {
@@ -814,7 +814,7 @@
 
     if ((sec->auth_msql_nopasswd) && (!strlen(real_pw))) {
 /*
-        sprintf(msql_errstr,"mSQL: user %s: Empty/'any' password accepted",c->user);
+        sprintf(msql_errstr,"mSQL: user %.500s: Empty/'any' password accepted",c->user);
 	log_reason (msql_errstr, r->uri, r);
  */
 	return OK;
@@ -824,7 +824,7 @@
      * an arms length.
      */
     if ((!strlen(real_pw)) || (!strlen(sent_pw))) {
-        sprintf(msql_errstr,"mSQL: user %s: Empty Password(s) Rejected",c->user);
+        sprintf(msql_errstr,"mSQL: user %.500s: Empty Password(s) Rejected",c->user);
 	log_reason (msql_errstr, r->uri, r);
 	note_basic_auth_failure (r);
 	return AUTH_REQUIRED;
@@ -842,7 +842,7 @@
         };
 
     if (strcmp(real_pw,sent_pw)) {
-        sprintf(msql_errstr,"mSQL user %s: password mismatch",c->user);
+        sprintf(msql_errstr,"mSQL user %.500s: password mismatch",c->user);
 	log_reason (msql_errstr, r->uri, r);
 	note_basic_auth_failure (r);
 	return AUTH_REQUIRED;
@@ -873,7 +873,7 @@
 
     if (!reqs_arr) {
 	if (sec->auth_msql_authoritative) {
-	        sprintf(msql_errstr,"user %s denied, no access rules specified (MSQL-Authoritative) ",user);
+	        sprintf(msql_errstr,"user %.500s denied, no access rules specified (MSQL-Authoritative) ",user);
 		log_reason (msql_errstr, r->uri, r);
 	        note_basic_auth_failure(r);
 		return AUTH_REQUIRED;
@@ -898,7 +898,7 @@
 		};
             }
 	    if ((sec->auth_msql_authoritative) && ( user_result != OK)) {
-           	sprintf(msql_errstr,"User %s not found (MSQL-Auhtorative)",user);
+           	sprintf(msql_errstr,"User %.500s not found (MSQL-Auhtorative)",user);
 		log_reason (msql_errstr, r->uri, r);
            	note_basic_auth_failure(r);
 		return AUTH_REQUIRED;
@@ -926,7 +926,7 @@
 		};
 
 	   if ( (sec->auth_msql_authoritative) && (group_result != OK) ) {
-           	sprintf(msql_errstr,"user %s not in right groups (MSQL-Authoritative) ",user);
+           	sprintf(msql_errstr,"user %.500s not in right groups (MSQL-Authoritative) ",user);
 		log_reason (msql_errstr, r->uri, r);
            	note_basic_auth_failure(r);
 		return AUTH_REQUIRED;
Index: mod_cgi.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_cgi.c,v
retrieving revision 1.26
diff -u -r1.26 mod_cgi.c
--- mod_cgi.c	1996/12/24 20:03:23	1.26
+++ mod_cgi.c	1996/12/31 06:47:19
@@ -332,7 +332,7 @@
      */
     
     sprintf(err_string,
-	    "exec of %s failed, errno is %d\n", r->filename, errno);
+	    "exec of %.500s failed, errno is %d\n", r->filename, errno);
     write(2, err_string, strlen(err_string));
     exit(0);
 }
Index: mod_digest.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_digest.c,v
retrieving revision 1.11
diff -u -r1.11 mod_digest.c
--- mod_digest.c	1996/12/01 20:28:57	1.11
+++ mod_digest.c	1996/12/31 06:48:59
@@ -277,14 +277,14 @@
         return DECLINED;
 	
     if (!(a1 = get_hash(r, c->user, sec->pwfile))) {
-        sprintf(errstr,"user %s not found",c->user);
+        sprintf(errstr,"user %.500s not found",c->user);
 	log_reason (errstr, r->uri, r);
 	note_digest_auth_failure (r);
 	return AUTH_REQUIRED;
     }
     /* anyone know where the prototype for crypt is? */
     if(strcmp(response->digest, find_digest(r, response, a1))) {
-        sprintf(errstr,"user %s: password mismatch",c->user);
+        sprintf(errstr,"user %.500s: password mismatch",c->user);
 	log_reason (errstr, r->uri, r);
 	note_digest_auth_failure (r);
 	return AUTH_REQUIRED;
Index: mod_fastcgi.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_fastcgi.c,v
retrieving revision 1.4
diff -u -r1.4 mod_fastcgi.c
--- mod_fastcgi.c	1996/12/28 00:04:52	1.4
+++ mod_fastcgi.c	1996/12/31 07:07:16
@@ -2192,14 +2192,14 @@
     serverInfoPtr = LookupFcgiServerInfo(execPath);
     if(serverInfoPtr != NULL) {
         sprintf(errMsg,
-                "AppClass: Redefinition of previously defined class %s\n",
+                "AppClass: Redefinition of previously defined class %.500s\n",
                 execPath);
         goto ErrorReturn;
     }
     uid = (user_id == (uid_t) -1)  ? geteuid() : user_id;
     gid = (group_id == (gid_t) -1) ? getegid() : group_id;
     if(WS_Access(execPath, X_OK, uid, gid)) {
-        sprintf(errMsg, "AppClass: Could not access file %s\n", execPath);
+        sprintf(errMsg, "AppClass: Could not access file %.500s\n", execPath);
         goto ErrorReturn;
     }
     /*
@@ -2276,7 +2276,7 @@
             *valuePtr = '=';
             continue;
         } else {
-            sprintf(errMsg, "AppClass: Unknown option %s\n", argv[i]);
+            sprintf(errMsg, "AppClass: Unknown option %.500s\n", argv[i]);
             goto ErrorReturn;
         }
     } /* for */
@@ -2318,10 +2318,10 @@
     Free(errMsg);
     return NULL;
   MissingValueReturn:
-    sprintf(errMsg, "AppClass: missing value for %s\n", argv[i]);
+    sprintf(errMsg, "AppClass: missing value for %.500s\n", argv[i]);
     goto ErrorReturn;
   BadValueReturn:
-    sprintf(errMsg, "AppClass: bad value \"%s\" for %s\n", argv[i], argv[i-1]);
+    sprintf(errMsg, "AppClass: bad value \"%.400s\" for %.400s\n", argv[i], argv[i-1]);
     goto ErrorReturn;
   ErrorReturn:
     if(serverInfoPtr != NULL) {
Index: mod_imap.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_imap.c,v
retrieving revision 1.13
diff -u -r1.13 mod_imap.c
--- mod_imap.c	1996/12/01 20:29:04	1.13
+++ mod_imap.c	1997/01/01 07:11:50
@@ -366,24 +366,26 @@
 
   if ( ! strcasecmp(value, "map" ) || ! strcasecmp(value, "menu") ) {
     if (r->server->port == 80 ) { 
-      sprintf(url, "http://%s%s", r->server->server_hostname, r->uri);
+      sprintf(url, "http://%.100s%.120s", r->server->server_hostname, r->uri);
     }
     else {
-      sprintf(url, "http://%s:%d%s", r->server->server_hostname,
+      sprintf(url, "http://%.100s:%d%.120s", r->server->server_hostname,
 	      r->server->port, r->uri);      
     }
     return;  
   }
 
   if ( ! strcasecmp(value, "nocontent") || ! strcasecmp(value, "error") ) {
-    strncpy(url, value, SMALLBUF);
+    strncpy(url, value, SMALLBUF-1);
+    url[SMALLBUF-1] = '\0';
     return;    /* these are handled elsewhere, so just copy them */
   }
 
   if ( ! strcasecmp(value, "referer" ) ) {
     referer = table_get(r->headers_in, "Referer");
     if ( referer && *referer ) {
-      strncpy(url, referer, SMALLBUF);
+      strncpy(url, referer, SMALLBUF-1);
+      url[SMALLBUF-1] = '\0';
       return;
     }
     else {
@@ -395,27 +397,30 @@
   while ( isalpha(*string_pos) )
     string_pos++;    /* go along the URL from the map until a non-letter */
   if ( *string_pos == ':' ) { 
-    strncpy(url, value, SMALLBUF);        /* if letters and then a colon (like http:) */
+    strncpy(url, value, SMALLBUF-1);        /* if letters and then a colon (like http:) */
+    url[SMALLBUF-1] = '\0';
     return;                    /* it's an absolute URL, so use it! */
   }
 
   if ( ! base || ! *base ) {
     if ( value && *value ) {  
-      strncpy(url, value, SMALLBUF);   /* no base: use what is given */
+      strncpy(url, value, SMALLBUF-1);   /* no base: use what is given */
+      url[SMALLBUF-1] = '\0';
     }         
     else {                  
       if (r->server->port == 80 ) {  
-	sprintf(url, "http://%s/", r->server->server_hostname);
+	sprintf(url, "http://%.200s/", r->server->server_hostname);
       }            
       if (r->server->port != 80 ) {
-	sprintf(url, "http://%s:%d/", r->server->server_hostname, 
+	sprintf(url, "http://%.200s:%d/", r->server->server_hostname, 
 		r->server->port);
       }                     /* no base, no value: pick a simple default */
     }
     return;  
   }
 
-  strncpy(my_base, base, SMALLBUF);  /* must be a relative URL to be combined with base */
+  strncpy(my_base, base, SMALLBUF-1);  /* must be a relative URL to be combined with base */
+  my_base[SMALLBUF-1] = '\0';
   string_pos = my_base; 
   while (*string_pos) {  
     if (*string_pos == '/' && *(string_pos+1) == '/') {
@@ -473,10 +478,10 @@
   }                   /* by this point, value does not start with '..' */
 
   if ( value && *value ) {
-    sprintf(url, "%s%s", my_base, value);   
+    sprintf(url, "%.127s%.127s", my_base, value);   
   }
   else {
-    sprintf(url, "%s", my_base);   
+    sprintf(url, "%.255s", my_base);   
   }
   return;
 }
@@ -675,7 +680,7 @@
     } /* blank lines and comments are ignored if we aren't printing a menu */
 
 
-    if (sscanf(input, "%s %s", directive, value) != 2) {
+    if (sscanf(input, "%.127s %.127s", directive, value) != 2) {
       continue;                           /* make sure we read two fields */
     }
     /* Now skip what we just read... we can't use ANSIism %n */
@@ -698,7 +703,8 @@
       imap_url(r, NULL, value, mapdflt);
       if (showmenu) {              /* print the default if there's a menu */
 	if (! *href_text) {           /* if we didn't find a "href text" */
-	  strncpy(href_text, mapdflt, SMALLBUF); /* use the href itself as text */
+	  strncpy(href_text, mapdflt, SMALLBUF-1); /* use the href itself as text */
+	  href_text[SMALLBUF-1] = '\0';
 	}
 	imap_url(r, base, mapdflt, redirect); 
 	menu_default(r, imap_menu, redirect, href_text);
@@ -729,7 +735,8 @@
     if (showmenu) {
       read_quoted(string_pos, href_text); /* href text could be here instead */
       if (! *href_text) {           /* if we didn't find a "href text" */
-	strncpy(href_text, value, SMALLBUF);  /* use the href itself in the menu */
+	strncpy(href_text, value, SMALLBUF-1);  /* use the href itself in the menu */
+	href_text[SMALLBUF-1] = '\0';
       }
       imap_url(r, base, value, redirect); 
       menu_directive(r, imap_menu, redirect, href_text);
@@ -774,7 +781,8 @@
     if ( ! strcasecmp(directive, "point" ) ) {         /* point */
       
       if (is_closer(testpoint, pointarray, &closest_yet) ) {
-	strncpy(closest, value, SMALLBUF);  /* if the closest point yet save it */
+	strncpy(closest, value, SMALLBUF-1);  /* if the closest point yet save it */
+	closest[SMALLBUF-1] = '\0';
       }
       
       continue;    
Index: mod_include.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_include.c,v
retrieving revision 1.19
diff -u -r1.19 mod_include.c
--- mod_include.c	1996/12/24 19:53:04	1.19
+++ mod_include.c	1996/12/31 07:19:19
@@ -567,7 +567,7 @@
 #ifdef DEBUG_INCLUDE_CMD    
     fprintf (dbg, "Exec failed\n");
 #endif    
-    sprintf(err_string, "httpd: exec of %s failed, errno is %d\n",
+    sprintf(err_string, "httpd: exec of %.500s failed, errno is %d\n",
 	    SHELL_PATH,errno);
     write (2, err_string, strlen(err_string));
     exit(0);
@@ -1537,8 +1537,10 @@
     int printing;
     int conditional_status;
 
-    strcpy(error,DEFAULT_ERROR_MSG);
-    strcpy(timefmt,DEFAULT_TIME_FORMAT);
+    strncpy(error,DEFAULT_ERROR_MSG, sizeof(error)-1);
+    error[sizeof(error)-1] = '\0';
+    strncpy(timefmt,DEFAULT_TIME_FORMAT, sizeof(timefmt)-1);
+    error[sizeof(timefmt)-1] = '\0';
     sizefmt = SIZEFMT_KMG;
 
 /*  Turn printing on */
Index: mod_info.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_info.c,v
retrieving revision 1.7
diff -u -r1.7 mod_info.c
--- mod_info.c	1996/12/01 20:29:09	1.7
+++ mod_info.c	1996/12/31 07:27:43
@@ -93,13 +93,13 @@
 	ret[0]='\0';
 	s = string;
 	t=ret;	
-	while(*s) {
-		if(*s=='<') { strcat(t,"&lt;"); t+=4*sizeof(char); }
-		else if(*s=='>') { strcat(t,"&gt;"); t+=4*sizeof(char); }
+	while((*s) && (strlen(t) < 64)) {
+		if(*s=='<') { strncat(t,"&lt;", sizeof(ret)-strlen(t)); t+=4*sizeof(char); }
+		else if(*s=='>') { strncat(t,"&gt;", sizeof(ret)-strlen(t)); t+=4*sizeof(char); }
 		else *t++=*s;
 		s++;
-		*t='\0';
 	}
+	*t='\0';
 	return(ret);
 }
 
@@ -267,16 +267,16 @@
 	rputs("<html><head><title>Server Information</title></head>\n",r);
 	rputs("<body><h1 align=center>Apache Server Information</h1>\n",r);
 	if(!r->args || strcasecmp(r->args,"list")) {
-		sprintf(buf,"%s/%s",server_root,server_confname);
+		sprintf(buf,"%.127s/%.127s",server_root,server_confname);
 		mod_info_cfg_httpd = mod_info_load_config(r->pool,buf);
-		sprintf(buf,"%s/%s",server_root,serv->srm_confname);
+		sprintf(buf,"%.127s/%.127s",server_root,serv->srm_confname);
 		mod_info_cfg_srm = mod_info_load_config(r->pool,buf);
-		sprintf(buf,"%s/%s",server_root,serv->access_confname);
+		sprintf(buf,"%.127s/%.127s",server_root,serv->access_confname);
 		mod_info_cfg_access = mod_info_load_config(r->pool,buf);
 		if(!r->args) {
 			rputs("<tt><a href=\"#server\">Server Settings</a>, ",r);
 			for(modp = top_module; modp; modp = modp->next) {
-				sprintf(buf,"<a href=\"#%s\">%s</a>",modp->name,modp->name);
+				sprintf(buf,"<a href=\"#%.120s\">%.120s</a>",modp->name,modp->name);
 				rputs(buf, r);
 				if(modp->next) rputs(", ",r);
 			}
@@ -284,15 +284,15 @@
 
 		}
 		if(!r->args || !strcasecmp(r->args,"server")) {	
-			sprintf(buf,"<a name=\"server\"><strong>Server Version:</strong> <font size=+1><tt>%s</tt></a></font><br>\n",SERVER_VERSION);
+			sprintf(buf,"<a name=\"server\"><strong>Server Version:</strong> <font size=+1><tt>%.200s</tt></a></font><br>\n",SERVER_VERSION);
 			rputs(buf,r);
 			sprintf(buf,"<strong>API Version:</strong> <tt>%d</tt><br>\n",MODULE_MAGIC_NUMBER);
 			rputs(buf,r);
 			sprintf(buf,"<strong>Run Mode:</strong> <tt>%s</tt><br>\n",standalone?"standalone":"inetd");
 			rputs(buf,r);
-			sprintf(buf,"<strong>User/Group:</strong> <tt>%s(%d)/%d</tt><br>\n",user_name,(int)user_id,(int)group_id);
+			sprintf(buf,"<strong>User/Group:</strong> <tt>%.200s(%d)/%d</tt><br>\n",user_name,(int)user_id,(int)group_id);
 			rputs(buf,r);
-			sprintf(buf,"<strong>Hostname/port:</strong> <tt>%s:%d</tt><br>\n",serv->server_hostname,serv->port);
+			sprintf(buf,"<strong>Hostname/port:</strong> <tt>%.200s:%d</tt><br>\n",serv->server_hostname,serv->port);
 			rputs(buf,r);
 			sprintf(buf,"<strong>Daemons:</strong> <tt>start: %d &nbsp;&nbsp; min idle: %d &nbsp;&nbsp; max idle: %d &nbsp;&nbsp; max: %d</tt><br>\n",daemons_to_start,daemons_min_free,daemons_max_free,daemons_limit);
 			rputs(buf,r);
@@ -300,26 +300,26 @@
 			rputs(buf,r);
 			sprintf(buf,"<strong>Timeouts:</strong> <tt>connection: %d &nbsp;&nbsp; keep-alive: %d</tt><br>",serv->timeout,serv->keep_alive_timeout);
 			rputs(buf,r);
-			sprintf(buf,"<strong>Server Root:</strong> <tt>%s</tt><br>\n",server_root);
+			sprintf(buf,"<strong>Server Root:</strong> <tt>%.200s</tt><br>\n",server_root);
 			rputs(buf,r);
-			sprintf(buf,"<strong>Config File:</strong> <tt>%s</tt><br>\n",server_confname);
+			sprintf(buf,"<strong>Config File:</strong> <tt>%.200s</tt><br>\n",server_confname);
 			rputs(buf,r);
-			sprintf(buf,"<strong>PID File:</strong> <tt>%s</tt><br>\n",pid_fname);
+			sprintf(buf,"<strong>PID File:</strong> <tt>%.200s</tt><br>\n",pid_fname);
 			rputs(buf,r);
-			sprintf(buf,"<strong>Scoreboard File:</strong> <tt>%s</tt><br>\n",scoreboard_fname);
+			sprintf(buf,"<strong>Scoreboard File:</strong> <tt>%.200s</tt><br>\n",scoreboard_fname);
 			rputs(buf,r);
 		}
 		rputs("<hr><dl>",r);
 		for(modp = top_module; modp; modp = modp->next) {
 			if(!r->args || !strcasecmp(modp->name,r->args)) {	
-				sprintf(buf,"<dt><a name=\"%s\"><strong>Module Name:</strong> <font size=+1><tt>%s</tt></a></font>\n",modp->name,modp->name);
+				sprintf(buf,"<dt><a name=\"%.100s\"><strong>Module Name:</strong> <font size=+1><tt>%.100s</tt></a></font>\n",modp->name,modp->name);
 				rputs(buf,r);
 				rputs("<dt><strong>Content-types affected:</strong>",r);	
 				hand = modp->handlers;
 				if(hand) {
 					while(hand) {
 						if(hand->content_type) {
-							sprintf(buf," <tt>%s</tt>\n",hand->content_type);	
+							sprintf(buf," <tt>%.200s</tt>\n",hand->content_type);	
 							rputs(buf,r);
 						} else break;
 						hand++;
@@ -370,7 +370,7 @@
 				if(cmd) {
 					while(cmd) {
 						if(cmd->name) {
-							sprintf(buf,"<dd><tt>%s - <i>",mod_info_html_cmd_string(cmd->name));	
+							sprintf(buf,"<dd><tt>%.200s - <i>",mod_info_html_cmd_string(cmd->name));	
 							rputs(buf,r);
 							if(cmd->errmsg) rputs(cmd->errmsg,r);
 							rputs("</i></tt>\n",r);
Index: mod_log_agent.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_log_agent.c,v
retrieving revision 1.6
diff -u -r1.6 mod_log_agent.c
--- mod_log_agent.c	1996/12/01 20:29:12	1.6
+++ mod_log_agent.c	1996/12/31 07:33:12
@@ -165,7 +165,7 @@
     agent = table_get(orig->headers_in, "User-Agent");
     if(agent != NULL) 
       {
-	sprintf(str, "%s\n", agent);
+	sprintf(str, "%.1000s\n", agent);
 	write(cls->agent_fd, str, strlen(str));
       }
     
Index: mod_log_config.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_log_config.c,v
retrieving revision 1.18
diff -u -r1.18 mod_log_config.c
--- mod_log_config.c	1996/12/11 05:16:08	1.18
+++ mod_log_config.c	1996/12/31 23:21:25
@@ -320,14 +320,14 @@
 }
 
 char *log_server_port (request_rec *r, char *a) {
-    char portnum[10];
+    char portnum[22];
 
     sprintf(portnum, "%d", r->server->port);
     return pstrdup(r->pool, portnum);
 }
 
 char *log_child_pid (request_rec *r, char *a) {
-    char pidnum[10];
+    char pidnum[22];
     sprintf(pidnum, "%ld", (long)getpid());
     return pstrdup(r->pool, pidnum);
 }
 
Index: mod_negotiation.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_negotiation.c,v
retrieving revision 1.28
diff -u -r1.28 mod_negotiation.c
--- mod_negotiation.c	1996/12/22 03:47:14	1.28
+++ mod_negotiation.c	1997/01/01 00:02:35
@@ -1653,7 +1653,7 @@
         char *rec;
         char qstr[6];
         long len;
-        char lenstr[20];                /* is this long enough? */
+        char lenstr[22];                /* enough for 2^64 */
 
         sprintf(qstr, "%1.3f", variant->type_quality);
 
Index: mod_rewrite.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_rewrite.c,v
retrieving revision 1.11
diff -u -r1.11 mod_rewrite.c
--- mod_rewrite.c	1996/12/24 19:40:16	1.11
+++ mod_rewrite.c	1997/01/01 08:04:59
@@ -906,7 +906,7 @@
        we start with the requested URI */
     if (r->filename == NULL) {
         r->filename = pstrdup(r->pool, r->uri);
-        rewritelog(r, 2, "init rewrite engine with requested uri %s", r->filename);
+        rewritelog(r, 2, "init rewrite engine with requested uri %.500s", r->filename);
     }
 
     /*
@@ -935,7 +935,7 @@
             r->proxyreq = 1;
             r->handler  = "proxy-server";
 
-            rewritelog(r, 1, "go-ahead with proxy request %s [OK]", r->filename);
+            rewritelog(r, 1, "go-ahead with proxy request %.500s [OK]", r->filename);
             return OK; 
         }
 #ifdef APACHE_SSL
@@ -958,7 +958,7 @@
 #endif
                 ;
             if (*cp != '\0') {
-                rewritelog(r, 1, "escaping %s for redirect", r->filename);
+                rewritelog(r, 1, "escaping %.500s for redirect", r->filename);
                 cp2 = escape_uri(r->pool, cp);
                 *cp = '\0';
                 r->filename = pstrcat(r->pool, r->filename, cp2, NULL);
@@ -969,7 +969,7 @@
                r->filename = pstrcat(r->pool, r->filename, "?", r->args, NULL);
 
             table_set(r->headers_out, "Location", r->filename);
-            rewritelog(r, 1, "redirect to %s [REDIRECT]", r->filename);
+            rewritelog(r, 1, "redirect to %.500s [REDIRECT]", r->filename);
             return REDIRECT;
         }
         else if (strlen(r->filename) > 10 &&
@@ -994,7 +994,7 @@
             /* expand "/~user" prefix */
             r->filename = expand_tildepaths(r, r->filename);  
 
-            rewritelog(r, 2, "local path result: %s", r->filename);
+            rewritelog(r, 2, "local path result: %.500s", r->filename);
 
             /* the filename has to start with a slash! */
             if (r->filename[0] != '/')
@@ -1023,7 +1023,8 @@
             n = prefix_stat(r->filename, &finfo);
             if (n == 0) {
                 if ((cp = document_root(r)) != NULL) {
-                    strcpy(docroot, cp);
+                    strncpy(docroot, cp, sizeof(docroot)-1);
+		    docroot[sizeof(docroot)-1] = '\0';
 
                     /* allways NOT have a trailing slash */
                     l = strlen(docroot);
@@ -1034,16 +1035,16 @@
                         r->filename = pstrcat(r->pool, docroot, (r->filename + r->server->pathlen), NULL);
                     else
                         r->filename = pstrcat(r->pool, docroot, r->filename, NULL);
-                    rewritelog(r, 2, "prefixed with document_root to %s", r->filename);
+                    rewritelog(r, 2, "prefixed with document_root to %.500s", r->filename);
                 }
             }
 
-            rewritelog(r, 1, "go-ahead with %s [OK]", r->filename);
+            rewritelog(r, 1, "go-ahead with %.500s [OK]", r->filename);
             return OK;
         }
     }
     else {
-        rewritelog(r, 1, "pass through %s", r->filename);
+        rewritelog(r, 1, "pass through %.500s", r->filename);
         return DECLINED;
     }
 }
@@ -1066,7 +1067,7 @@
     if (t == NULL) 
         return DECLINED;
     else {
-        rewritelog(r, 1, "force filename %s to have MIME-type '%s'", r->filename, t);
+        rewritelog(r, 1, "force filename %.500s to have MIME-type '%.500s'", r->filename, t);
         r->content_type = t;
         return OK;
     }
@@ -1144,7 +1145,7 @@
             r->proxyreq = 1;
             r->handler  = "proxy-server";
 
-            rewritelog(r, 1, "[per-dir %s] go-ahead with proxy request %s [OK]", dconf->directory, r->filename);
+            rewritelog(r, 1, "[per-dir %.500s] go-ahead with proxy request %.500s [OK]", dconf->directory, r->filename);
             return OK; 
         }
 #ifdef APACHE_SSL
@@ -1169,7 +1170,7 @@
 #else
                 if ((cp = strchr(r->filename+7, '/')) != NULL) {
 #endif
-                    rewritelog(r, 2, "[per-dir %s] trying to replace prefix %s with %s", dconf->directory, dconf->directory, dconf->baseurl);
+                    rewritelog(r, 2, "[per-dir %.500s] trying to replace prefix %.500s with %.500s", dconf->directory, dconf->directory, dconf->baseurl);
                     cp2 = subst_prefix_path(r, cp, dconf->directory, dconf->baseurl);
                     if (strcmp(cp2, cp) != 0) {
                         *cp = '\0';
@@ -1186,7 +1187,7 @@
 #endif
                 ;
             if (*cp != '\0') {
-                rewritelog(r, 1, "[per-dir %s] escaping %s for redirect", dconf->directory, r->filename);
+                rewritelog(r, 1, "[per-dir %.500s] escaping %.500s for redirect", dconf->directory, r->filename);
                 cp2 = escape_uri(r->pool, cp);
                 *cp = '\0';
                 r->filename = pstrcat(r->pool, r->filename, cp2, NULL);
@@ -1197,7 +1198,7 @@
                r->filename = pstrcat(r->pool, r->filename, "?", r->args, NULL);
 
             table_set(r->headers_out, "Location", r->filename);
-            rewritelog(r, 1, "[per-dir %s] redirect to %s [REDIRECT]", dconf->directory, r->filename);
+            rewritelog(r, 1, "[per-dir %.500s] redirect to %.500s [REDIRECT]", dconf->directory, r->filename);
             return REDIRECT;
         }
         else if (strlen(r->filename) > 10 &&
@@ -1226,7 +1227,7 @@
                context. If not then treat the result as a 
                plain URL */
             if (dconf->baseurl != NULL) {
-                rewritelog(r, 2, "[per-dir %s] trying to replace prefix %s with %s", dconf->directory, dconf->directory, dconf->baseurl);
+                rewritelog(r, 2, "[per-dir %.500s] trying to replace prefix %.500s with %.500s", dconf->directory, dconf->directory, dconf->baseurl);
                 r->filename = subst_prefix_path(r, r->filename, dconf->directory, dconf->baseurl);
             }
             else {
@@ -1244,21 +1245,21 @@
                         l--;
                     }
                     if (strncmp(r->filename, prefix, l) == 0) {
-                        rewritelog(r, 2, "[per-dir %s] strip document_root prefix: %s -> %s", dconf->directory, r->filename, r->filename+l);
+                        rewritelog(r, 2, "[per-dir %.500s] strip document_root prefix: %.500s -> %.500s", dconf->directory, r->filename, r->filename+l);
                         r->filename = pstrdup(r->pool, r->filename+l); 
                     }
                 }
             }
 
             /* now initiate the internal redirect */
-            rewritelog(r, 1, "[per-dir %s] internal redirect with %s [INTERNAL REDIRECT]", dconf->directory, r->filename);
+            rewritelog(r, 1, "[per-dir %.500s] internal redirect with %.500s [INTERNAL REDIRECT]", dconf->directory, r->filename);
             r->filename = pstrcat(r->pool, "redirect:", r->filename, NULL);
             r->handler = "redirect-handler";
             return OK; 
         }
     }
     else {
-        rewritelog(r, 1, "[per-dir %s] pass through %s", dconf->directory, r->filename);
+        rewritelog(r, 1, "[per-dir %.500s] pass through %.500s", dconf->directory, r->filename);
         return DECLINED;
     }
 }
@@ -1327,13 +1328,13 @@
             if (rc != 2) /* not a match-only rule */
                 changed = 1;
             if (p->flags & RULEFLAG_PASSTHROUGH) {
-                rewritelog(r, 2, "forcing '%s' to get passed through to next URI-to-filename handler", r->filename);
+                rewritelog(r, 2, "forcing '%.500s' to get passed through to next URI-to-filename handler", r->filename);
                 r->filename = pstrcat(r->pool, "passthrough:", r->filename, NULL);
                 changed = 1;
                 break;
             }
             if (p->flags & RULEFLAG_FORBIDDEN) {
-                rewritelog(r, 2, "forcing '%s' to be forbidden", r->filename);
+                rewritelog(r, 2, "forcing '%.500s' to be forbidden", r->filename);
                 r->filename = pstrcat(r->pool, "forbidden:", r->filename, NULL);
                 changed = 1;
                 break;
@@ -1396,7 +1397,7 @@
     flags   = p->flags;
 
     if (perdir != NULL && r->path_info != NULL && r->path_info[0] != '\0') {
-        rewritelog(r, 3, "[per-dir %s] add path-info postfix: %s -> %s%s", perdir, uri, uri, r->path_info);
+        rewritelog(r, 3, "[per-dir %.500s] add path-info postfix: %.500s -> %.500s%.500s", perdir, uri, uri, r->path_info);
         uri = pstrcat(r->pool, uri, r->path_info, NULL);
     }
 
@@ -1405,14 +1406,14 @@
         /* this is a per-directory match */
         if (   strlen(uri) >= strlen(perdir)
             && strncmp(uri, perdir, strlen(perdir)) == 0) {
-            rewritelog(r, 3, "[per-dir %s] strip per-dir prefix: %s -> %s", perdir, uri, uri+strlen(perdir));
+            rewritelog(r, 3, "[per-dir %.500s] strip per-dir prefix: %.500s -> %.500s", perdir, uri, uri+strlen(perdir));
             uri = uri+strlen(perdir);
             prefixstrip = 1;
         }
     }
 
     if (perdir != NULL) 
-        rewritelog(r, 3, "[per-dir %s] applying pattern '%s' to uri '%s'", perdir, p->pattern, uri);
+        rewritelog(r, 3, "[per-dir %.500s] applying pattern '%.500s' to uri '%.500s'", perdir, p->pattern, uri);
 
 #ifdef HAS_APACHE_REGEX_LIB
     rc = (regexec(regexp, uri, regexp->re_nsub+1, regmatch, 0) == 0);   /* try to match the pattern */
@@ -1468,14 +1469,16 @@
         if (p->flags & RULEFLAG_PROXY) {
             if (p->flags & RULEFLAG_NOTMATCH) {
                 output = pstrcat(r->pool, "proxy:", output, NULL);
-                strcpy(newuri, output);
+                strncpy(newuri, output, sizeof(newuri)-1);
+		newuri[sizeof(newuri)-1] = '\0';
                 expand_variables_inbuffer(r, newuri);                /* expand %{...} */
                 expand_map_lookups(r, newuri);                       /* expand ${...} */
             }
             else {
                 output = pstrcat(r->pool, "proxy:", output, NULL);
 #ifdef HAS_APACHE_REGEX_LIB
-                strcpy(newuri, pregsub(r->pool, output, uri, regexp->re_nsub+1, regmatch));    /* substitute in output */
+                strncpy(newuri, pregsub(r->pool, output, uri, regexp->re_nsub+1, regmatch), sizeof(newuri)-1);    /* substitute in output */
+		newuri[sizeof(newuri)-1] = '\0';
 #else
                 regsub(regexp, output, newuri);                      /* substitute in output */
 #endif
@@ -1483,9 +1486,9 @@
                 expand_map_lookups(r, newuri);                       /* expand ${...} */
             }
             if (perdir == NULL)
-                rewritelog(r, 2, "rewrite %s -> %s", r->filename, newuri);
+                rewritelog(r, 2, "rewrite %.500s -> %.500s", r->filename, newuri);
             else
-                rewritelog(r, 2, "[per-dir %s] rewrite %s -> %s", perdir, r->filename, newuri);
+                rewritelog(r, 2, "[per-dir %.500s] rewrite %.500s -> %.500s", perdir, r->filename, newuri);
             r->filename = pstrdup(r->pool, newuri);
             return 1;
         }
@@ -1500,20 +1503,22 @@
         if (perdir != NULL && strncmp(output, "http://", 7) == 0) {
 #endif
             if (p->flags & RULEFLAG_NOTMATCH) {
-                strcpy(newuri, output);
+                strncpy(newuri, output, sizeof(newuri)-1);
+                newuri[sizeof(newuri)-1] = '\0';
                 expand_variables_inbuffer(r, newuri);                /* expand %{...} */
                 expand_map_lookups(r, newuri);                       /* expand ${....} */
             }
             else {
 #ifdef HAS_APACHE_REGEX_LIB
-                strcpy(newuri, pregsub(r->pool, output, uri, regexp->re_nsub+1, regmatch));    /* substitute in output */
+                strncpy(newuri, pregsub(r->pool, output, uri, regexp->re_nsub+1, regmatch), sizeof(newuri)-1);    /* substitute in output */
+                newuri[sizeof(newuri)-1] = '\0';
 #else
                 regsub(regexp, output, newuri);                      /* substitute in output */
 #endif
                 expand_variables_inbuffer(r, newuri);                /* expand %{...} */
                 expand_map_lookups(r, newuri);                       /* expand ${...} */
             }
-            rewritelog(r, 2, "[per-dir %s] redirect %s -> %s", perdir, r->filename, newuri);
+            rewritelog(r, 2, "[per-dir %.500s] redirect %.500s -> %.500s", perdir, r->filename, newuri);
             r->filename = pstrdup(r->pool, newuri);
             return 1;
         }
@@ -1523,18 +1528,20 @@
            prefixed by a slash which means that is 
            no for this per-dir context) */
         if (prefixstrip && output[0] != '/') {
-            rewritelog(r, 3, "[per-dir %s] add per-dir prefix: %s -> %s%s", perdir, output, perdir, output);
+            rewritelog(r, 3, "[per-dir %.500s] add per-dir prefix: %.500s -> %.500s%.500s", perdir, output, perdir, output);
             output = pstrcat(r->pool, perdir, output, NULL);
         }
 
         if (p->flags & RULEFLAG_NOTMATCH) {
             /* just overtake the URI */
-            strcpy(newuri, output);
+            strncpy(newuri, output, sizeof(newuri)-1);
+            newuri[sizeof(newuri)-1] = '\0';
         }
         else {
             /* substitute in output */
 #ifdef HAS_APACHE_REGEX_LIB
-            strcpy(newuri, pregsub(r->pool, output, uri, regexp->re_nsub+1, regmatch));    /* substitute in output */
+            strncpy(newuri, pregsub(r->pool, output, uri, regexp->re_nsub+1, regmatch), sizeof(newuri)-1);    /* substitute in output */
+            newuri[sizeof(newuri)-1] = '\0';
 #else
             regsub(regexp, output, newuri);                      /* substitute in output */
 #endif
@@ -1543,9 +1550,9 @@
         expand_map_lookups(r, newuri);         /* expand ${...} */
 
         if (perdir == NULL)
-            rewritelog(r, 2, "rewrite %s -> %s", uri, newuri);
+            rewritelog(r, 2, "rewrite %.500s -> %.500s", uri, newuri);
         else
-            rewritelog(r, 2, "[per-dir %s] rewrite %s -> %s", perdir, uri, newuri);
+            rewritelog(r, 2, "[per-dir %.500s] rewrite %.500s -> %.500s", perdir, uri, newuri);
 
         r->filename = pstrdup(r->pool, newuri);
 
@@ -1559,9 +1566,9 @@
         if (p->forced_mimetype != NULL) {
             table_set(r->notes, REWRITE_FORCED_MIMETYPE_NOTEVAR, p->forced_mimetype);
             if (perdir == NULL)
-                rewritelog(r, 2, "remember %s to have MIME-type '%s'", r->filename, p->forced_mimetype);
+                rewritelog(r, 2, "remember %.500s to have MIME-type '%.500s'", r->filename, p->forced_mimetype);
             else
-                rewritelog(r, 2, "[per-dir %s] remember %s to have MIME-type '%s'", perdir, r->filename, p->forced_mimetype);
+                rewritelog(r, 2, "[per-dir %.500s] remember %.500s to have MIME-type '%.500s'", perdir, r->filename, p->forced_mimetype);
         }
 
         /* if we are forced to do a explicit redirect by [R] flag
@@ -1586,20 +1593,20 @@
                     sprintf(port, ":%d", r->server->port);
                 if (r->filename[0] == '/')
 #ifdef APACHE_SSL
-                    sprintf(newuri, "%s://%s%s%s", http_method(r), r->server->server_hostname, port, r->filename);
+                    sprintf(newuri, "%.500s://%.500s%.500s%.500s", http_method(r), r->server->server_hostname, port, r->filename);
 #else
-                    sprintf(newuri, "http://%s%s%s", r->server->server_hostname, port, r->filename);
+                    sprintf(newuri, "http://%.500s%.500s%.500s", r->server->server_hostname, port, r->filename);
 #endif
                 else
 #ifdef APACHE_SSL
-                    sprintf(newuri, "%s://%s%s/%s", http_method(r), r->server->server_hostname, port, r->filename);
+                    sprintf(newuri, "%.500s://%.500s%.500s/%.500s", http_method(r), r->server->server_hostname, port, r->filename);
 #else
-                    sprintf(newuri, "http://%s%s/%s", r->server->server_hostname, port, r->filename);
+                    sprintf(newuri, "http://%.500s%.500s/%.500s", r->server->server_hostname, port, r->filename);
 #endif
                 if (perdir == NULL) 
-                    rewritelog(r, 2, "prepare forced redirect %s -> %s", r->filename, newuri);
+                    rewritelog(r, 2, "prepare forced redirect %.500s -> %.500s", r->filename, newuri);
                 else
-                    rewritelog(r, 2, "[per-dir %s] prepare forced redirect %s -> %s", perdir, r->filename, newuri);
+                    rewritelog(r, 2, "[per-dir %.500s] prepare forced redirect %.500s -> %.500s", perdir, r->filename, newuri);
                 r->filename = pstrdup(r->pool, newuri);
                 return 1;
             }
@@ -1650,12 +1657,13 @@
         rc = (regexec(p->regexp, input, 0, NULL, 0) == 0);
 #else
         if (p->flags & CONDFLAG_NOCASE) {
-            for (i = 0; input[i] != '\0'; i++)
+            for (i = 0; input[i] != '\0' && i < sizeof(inputbuf)-1 ; i++)
                 inputbuf[i] = tolower(input[i]);
             inputbuf[i] = '\0';
         }
         else {
-            strcpy(inputbuf, input);
+            strncpy(inputbuf, input, sizeof(inputbuf)-1);
+            inputbuf[sizeof(inputbuf)-1] = '\0';
         }
         rc = (regexec(p->regexp, inputbuf) != 0);
 #endif
@@ -1665,7 +1673,7 @@
     if (p->flags & CONDFLAG_NOTMATCH) 
         rc = !rc;
 
-    rewritelog(r, 4, "RewriteCond: input='%s' pattern='%s' => %s", input, p->pattern, rc ? "matched" : "not-matched");
+    rewritelog(r, 4, "RewriteCond: input='%.500s' pattern='%.500s' => %.500s", input, p->pattern, rc ? "matched" : "not-matched");
 
     /* end just return the result */
     return rc;
@@ -1702,7 +1710,7 @@
         r->args = pstrcat(r->pool, q, "&", r->args, NULL);
         if (r->args[strlen(r->args)-1] == '&')
             r->args[strlen(r->args)-1] = '\0';
-        rewritelog(r, 3, "split uri=%s -> uri=%s, args=%s", olduri, r->filename, r->args);
+        rewritelog(r, 3, "split uri=%.500s -> uri=%.500s, args=%.500s", olduri, r->filename, r->args);
     }
     return;            
 }
@@ -1740,9 +1748,11 @@
 
         /* cut the hostname and port out of the URI */
 #ifdef APACHE_SSL
-        strcpy(buf, r->filename+strlen(http_method(r))+3);
+        strncpy(buf, r->filename+strlen(http_method(r))+3, sizeof(buf)-1);
+        buf[sizeof(buf)-1] = '\0';
 #else
-        strcpy(buf, r->filename+7);
+        strncpy(buf, r->filename+7, sizeof(buf)-1);
+        buf[sizeof(buf)-1] = '\0';
 #endif
         hostp = buf;
         for (cp = hostp; *cp != '\0' && *cp != '/' && *cp != ':'; cp++)
@@ -1750,7 +1760,8 @@
         if (*cp == ':') {
             /* set host */
             *cp++ = '\0';
-            strcpy(host, hostp);
+            strncpy(host, hostp, sizeof(host)-1);
+            host[sizeof(host)-1] = '\0';
             /* set port */
             portp = cp;
             for (; *cp != '\0' && *cp != '/'; cp++)
@@ -1765,7 +1776,8 @@
         else if (*cp == '/') {
             /* set host */
             *cp = '\0';
-            strcpy(host, hostp);
+            strncpy(host, hostp, sizeof(host)-1);
+            host[sizeof(host)-1] = '\0';
             *cp = '/';
             /* set port */
             port = 80;
@@ -1774,7 +1786,8 @@
         }
         else {
             /* set host */
-            strcpy(host, hostp);
+            strncpy(host, hostp, sizeof(host)-1);
+            host[sizeof(host)-1] = '\0';
             /* set port */
             port = 80;
             /* set remaining url */
@@ -1785,7 +1798,7 @@
         if (is_this_our_host(r, host) && port == r->server->port) {
             /* this is our host, so only the URL remains */
             r->filename = pstrdup(r->pool, url);
-            rewritelog(r, 3, "reduce %s -> %s", olduri, r->filename);
+            rewritelog(r, 3, "reduce %.500s -> %.500s", olduri, r->filename);
         }
     }
     return;            
@@ -1809,7 +1822,7 @@
     newuri = uri;
     if (uri != NULL && strlen(uri) > 2 && uri[0] == '/' && uri[1] == '~') {
         /* cut out the username */
-        for (j = 0, i = 2; uri[i] != '\0' && 
+        for (j = 0, i = 2; j < sizeof(user)-1 && uri[i] != '\0' &&
                        (   (uri[i] >= '0' && uri[i] <= '9')
                         || (uri[i] >= 'a' && uri[i] <= 'z')
                         || (uri[i] >= 'A' && uri[i] <= 'Z')); )
@@ -1841,8 +1854,11 @@
 **  i.e. expansion of MAP lookup directives
 **  ${<mapname>:<key>} in RewriteRule rhs
 **
+**  There needs to be at least MAX_STRING_LEN characters allocated for uri.
+**
 */
 
+#define limit_length(n)		(n > LONG_STRING_LEN-1 ? LONG_STRING_LEN-1 : n)
 static void expand_map_lookups(request_rec *r, char *uri)
 {
     char newuri[MAX_STRING_LEN];
@@ -1873,27 +1889,27 @@
 
             cpT = strchr(cpI, ':');
             n = cpT-cpI;
-            memcpy(mapname, cpI, n);
-            mapname[n] = '\0';
+            memcpy(mapname, cpI, limit_length(n));
+            mapname[limit_length(n)] = '\0';
             cpI += n+1;
 
             cpT2 = strchr(cpI, '|');
             cpT = strchr(cpI, '}');
             if (cpT2 != NULL && cpT2 < cpT) {
                 n = cpT2-cpI;
-                memcpy(mapkey, cpI, n);
-                mapkey[n] = '\0';
+                memcpy(mapkey, cpI, limit_length(n));
+                mapkey[limit_length(n)] = '\0';
                 cpI += n+1;
 
                 n = cpT-cpI;
-                memcpy(defaultvalue, cpI, n);
-                defaultvalue[n] = '\0';
+                memcpy(defaultvalue, cpI, limit_length(n));
+                defaultvalue[limit_length(n)] = '\0';
                 cpI += n+1;
             }
             else {
                 n = cpT-cpI;
-                memcpy(mapkey, cpI, n);
-                mapkey[n] = '\0';
+                memcpy(mapkey, cpI, limit_length(n));
+                mapkey[limit_length(n)] = '\0';
                 cpI += n+1;
 
                 defaultvalue[0] = '\0';
@@ -1902,13 +1918,13 @@
             cpT = lookup_map(r, mapname, mapkey);
             if (cpT != NULL) {
                 n = strlen(cpT);
-                memcpy(cpO, cpT, n);
+                memcpy(cpO, cpT, limit_length(n));
                 cpO += n;
             }
             else {
                 n = strlen(defaultvalue);
-                memcpy(cpO, defaultvalue, n);
-                cpO += n;
+                memcpy(cpO, defaultvalue, limit_length(n));
+                cpO += limit_length(n);
             }
         }
         else {
@@ -1916,15 +1932,16 @@
             if (cpT == NULL)
                 cpT = cpI+strlen(cpI);
             n = cpT-cpI;
-            memcpy(cpO, cpI, n);
-            cpO += n;
+            memcpy(cpO, cpI, limit_length(n));
+            cpO += limit_length(n);
             cpI += n;
         }
     }
     *cpO = '\0';
-    strcpy(uri, newuri);
+    strncpy(uri, newuri, MAX_STRING_LEN);
     return;
 }
+#undef limit_length
 
 
 
@@ -1964,17 +1981,17 @@
                 if (value == NULL) {
                     rewritelog(r, 6, "cache lookup FAILED, forcing new map lookup");
                     if ((value = lookup_map_txtfile(r, s->datafile, key)) != NULL) {
-                        rewritelog(r, 5, "map lookup OK: map=%s key=%s[txt] -> val=%s", s->name, key, value);
+                        rewritelog(r, 5, "map lookup OK: map=%.500s key=%.500s[txt] -> val=%.500s", s->name, key, value);
                         set_cache_string(cachep, s->name, CACHEMODE_TS, st.st_mtime, key, value);
                         return value;
                     }
                     else {
-                        rewritelog(r, 5, "map lookup FAILED: map=%s[txt] key=%s", s->name, key);
+                        rewritelog(r, 5, "map lookup FAILED: map=%.500s[txt] key=%.500s", s->name, key);
                         return NULL;
                     }
                 }
                 else {
-                    rewritelog(r, 5, "cache lookup OK: map=%s[txt] key=%s -> val=%s", s->name, key, value);
+                    rewritelog(r, 5, "cache lookup OK: map=%.500s[txt] key=%.500s -> val=%.500s", s->name, key, value);
                     return value;
                 }
             }
@@ -1985,17 +2002,17 @@
                 if (value == NULL) {
                     rewritelog(r, 6, "cache lookup FAILED, forcing new map lookup");
                     if ((value = lookup_map_dbmfile(r, s->datafile, key)) != NULL) {
-                        rewritelog(r, 5, "map lookup OK: map=%s[dbm] key=%s -> val=%s", s->name, key, value);
+                        rewritelog(r, 5, "map lookup OK: map=%.500s[dbm] key=%.500s -> val=%.500s", s->name, key, value);
                         set_cache_string(cachep, s->name, CACHEMODE_TS, st.st_mtime, key, value);
                         return value;
                     }
                     else {
-                        rewritelog(r, 5, "map lookup FAILED: map=%s[dbm] key=%s", s->name, key);
+                        rewritelog(r, 5, "map lookup FAILED: map=%.500s[dbm] key=%.500s", s->name, key);
                         return NULL;
                     }
                 }
                 else {
-                    rewritelog(r, 5, "cache lookup OK: map=%s[dbm] key=%s -> val=%s", s->name, key, value);
+                    rewritelog(r, 5, "cache lookup OK: map=%.500s[dbm] key=%.500s -> val=%.500s", s->name, key, value);
                     return value;
                 }
 #else
@@ -2004,11 +2021,11 @@
             }
             else if (s->type == MAPTYPE_PRG) {
                 if ((value = lookup_map_program(r, s->fpin, s->fpout, key)) != NULL) {
-                    rewritelog(r, 5, "map lookup OK: map=%s key=%s -> val=%s", s->name, key, value);
+                    rewritelog(r, 5, "map lookup OK: map=%.500s key=%.500s -> val=%.500s", s->name, key, value);
                     return value;
                 }
                 else {
-                    rewritelog(r, 5, "map lookup FAILED: map=%s key=%s", s->name, key);
+                    rewritelog(r, 5, "map lookup FAILED: map=%.500s key=%.500s", s->name, key);
                 }
             }
         }
@@ -2041,7 +2058,8 @@
         if (regexec(lookup_map_txtfile_regexp, line) != 0) {
 #endif
 #ifdef HAS_APACHE_REGEX_LIB
-            strcpy(result, pregsub(r->pool, output, line, lookup_map_txtfile_regexp->re_nsub+1, lookup_map_txtfile_regmatch)); /* substitute in output */
+            strncpy(result, pregsub(r->pool, output, line, lookup_map_txtfile_regexp->re_nsub+1, lookup_map_txtfile_regmatch), sizeof(result)-1); /* substitute in output */
+            result[sizeof(result)-1] = '\0';
 #else
             regsub(lookup_map_txtfile_regexp, output, result);
 #endif
@@ -2070,7 +2088,7 @@
     char buf[MAX_STRING_LEN];
 
     dbmkey.dptr  = key;
-    dbmkey.dsize = strlen(key);
+    dbmkey.dsize = strlen(key) < sizeof(buf)-1 : strlen(key) ? sizeof(buf)-1;
     if ((dbmfp = dbm_open(file, O_RDONLY, 0666)) != NULL) {
         dbmval = dbm_fetch(dbmfp, dbmkey);
         if (dbmval.dptr != NULL) {
@@ -2096,7 +2114,7 @@
 
     /* read in the response value */
     i = 0;
-    while (read(fpout, &c, 1) == 1 && (i < LONG_STRING_LEN)) {
+    while (read(fpout, &c, 1) == 1 && (i < LONG_STRING_LEN-1)) {
         if (c == '\n')
             break;
         buf[i++] = c;
@@ -2176,7 +2194,7 @@
     static char str2[HUGE_STRING_LEN];
     static char str3[HUGE_STRING_LEN];
     static char type[20];
-    static char redir[20];
+    static char redir[256];
     va_list ap;
     int i;
     request_rec *req;
@@ -2213,7 +2231,7 @@
     else
         sprintf(redir, "/redir#%d", i);
 
-    sprintf(str3, "%s %s [%s/sid#%x][rid#%x/%s%s] (%d) %s\n", str1, current_logtime(r), r->server->server_hostname, (unsigned int)(r->server), (unsigned int)r, type, redir, level, str2);
+    sprintf(str3, "%.500s %.500s [%.500s/sid#%x][rid#%x/%.500s%.500s] (%d) %.1000s\n", str1, current_logtime(r), r->server->server_hostname, (unsigned int)(r->server), (unsigned int)r, type, redir, level, str2);
 
     write(conf->rewritelogfp, str3, strlen(str3));
 
@@ -2229,7 +2247,7 @@
     long timz;
 #endif
     struct tm *t;
-    char tstr[80];
+    char tstr[256];
     char sign;
     
     t = get_gmtoff(&timz);
@@ -2237,7 +2255,7 @@
     if(timz < 0) 
         timz = -timz;
 
-    strftime(tstr, MAX_STRING_LEN,"[%d/%b/%Y:%H:%M:%S ",t);
+    strftime(tstr, 100,"[%d/%b/%Y:%H:%M:%S ",t);
 
 #ifdef IS_APACHE_12
     sprintf(tstr + strlen(tstr), "%c%.2d%.2d]", sign, timz/60, timz%60);
@@ -2319,12 +2337,14 @@
 */
 
 
+/* buf needs to have at least MAX_STRING_LEN characters allocated */
 static void expand_variables_inbuffer(request_rec *r, char *buf)
 {
     char *newbuf;
     newbuf = expand_variables(r, buf);
     if (strcmp(newbuf, buf) != 0)
-        strcpy(buf, newbuf);
+        strncpy(buf, newbuf, MAX_STRING_LEN-1);
+        buf[MAX_STRING_LEN-1] = '\0';
     return;
 }
 
@@ -2337,25 +2357,27 @@
     char *cp3;
     int expanded;
 
-    strcpy(input, str);
+    strncpy(input, str, sizeof(input)-1);
+    input[sizeof(input)-1] = '\0';
     output[0] = '\0';
     expanded = 0;
     for (cp = input; cp < input+MAX_STRING_LEN; ) {
         if ((cp2 = strstr(cp, "%{")) != NULL) {
             if ((cp3 = strstr(cp2, "}")) != NULL) {
                 *cp2 = '\0';
-                strcpy(&output[strlen(output)], cp);
+                strncpy(&output[strlen(output)], cp, sizeof(output)-strlen(output)-1);
 
                 cp2 += 2;
                 *cp3 = '\0';
-                strcpy(&output[strlen(output)], lookup_variable(r, cp2));
+                strncpy(&output[strlen(output)], lookup_variable(r, cp2), sizeof(output)-strlen(output)-1);
 
                 cp = cp3+1;
                 expanded = 1;
                 continue;
             }
         }
-        strcpy(&output[strlen(output)], cp);
+        strncpy(&output[strlen(output)], cp, sizeof(output)-strlen(output)-1);
+        output[sizeof(output)-1] = '\0';
         break;
     }
     return expanded ? pstrdup(r->pool, output) : str;
@@ -2662,7 +2684,8 @@
     output = input;
 
     /* first, remove the local directory prefix */
-    strcpy(matchbuf, match);
+    strncpy(matchbuf, match, sizeof(matchbuf)-2); /* below code may add one char */
+    matchbuf[sizeof(matchbuf)-2] = '\0';
     /* allways have a trailing slash */
     l = strlen(matchbuf);
     if (matchbuf[l-1] != '/') {
@@ -2671,11 +2694,12 @@
        l++;
     }
     if (strncmp(input, matchbuf, l) == 0) {
-        rewritelog(r, 5, "strip matching prefix: %s -> %s", output, output+l);
+        rewritelog(r, 5, "strip matching prefix: %.500s -> %.500s", output, output+l);
         output = pstrdup(r->pool, output+l); 
 
         /* and now add the base-URL as replacement prefix */
-        strcpy(substbuf, subst);
+        strncpy(substbuf, subst, sizeof(substbuf)-2); /* below code may add one char */
+        substbuf[sizeof(substbuf)-2] = '\0';
         /* allways have a trailing slash */
         l = strlen(substbuf);
         if (substbuf[l-1] != '/') {
@@ -2684,11 +2708,11 @@
            l++;
         }
         if (output[0] == '/') {
-            rewritelog(r, 4, "add subst prefix: %s -> %s%s", output, substbuf, output+1);
+            rewritelog(r, 4, "add subst prefix: %.500s -> %.500s%.500s", output, substbuf, output+1);
             output = pstrcat(r->pool, substbuf, output+1, NULL);
         }
         else {
-            rewritelog(r, 4, "add subst prefix: %s -> %s%s", output, substbuf, output);
+            rewritelog(r, 4, "add subst prefix: %.500s -> %.500s%.500s", output, substbuf, output);
             output = pstrcat(r->pool, substbuf, output, NULL);
         }
     }
@@ -2784,7 +2808,8 @@
     char curpath[LONG_STRING_LEN];
     char *cp;
 
-    strcpy(curpath, path);
+    strncpy(curpath, path, sizeof(curpath)-1);
+    curpath[sizeof(curpath)-1] = '\0';
     if (curpath[0] != '/') 
         return 0;
     if ((cp = strchr(curpath+1, '/')) != NULL)
Index: mod_usertrack.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_usertrack.c,v
retrieving revision 1.6
diff -u -r1.6 mod_usertrack.c
--- mod_usertrack.c	1996/12/01 20:29:26	1.6
+++ mod_usertrack.c	1997/01/01 03:53:21
@@ -121,8 +121,8 @@
     cookie_log_state *cls = get_module_config (r->server->module_config,
 					       &usertrack_module);
     struct timeval tv;
-    char *new_cookie = palloc( r->pool, 100);	/* 100 = blurgh */
-    char *cookiebuf = palloc( r->pool, 100);
+    char *new_cookie = palloc( r->pool, 1024);	/* 1024 = blurgh */
+    char *cookiebuf = palloc( r->pool, 256);
     char *dot;
     const char *rname = pstrdup(r->pool, 
 		       	    get_remote_host(r->connection, r->per_dir_config,
@@ -133,7 +133,7 @@
     if ((dot = strchr(rname,'.'))) *dot='\0';	/* First bit of hostname */
     gettimeofday(&tv, &tz);
 
-    sprintf(cookiebuf, "%s%d%ld%d", rname, (int)getpid(),
+    sprintf(cookiebuf, "%.200s%d%ld%d", rname, (int)getpid(),
 	      (long)tv.tv_sec, (int)tv.tv_usec/1000);	    
 
     if (cls->expires) {
@@ -155,14 +155,14 @@
 
       /* Cookie with date; as strftime '%a, %d-%h-%y %H:%M:%S GMT' */
       sprintf(new_cookie,
-	   "%s%s; path=/; expires=%s, %.2d-%s-%.2d %.2d:%.2d:%.2d GMT",
+	   "%.256s%.256s; path=/; expires=%s, %.2d-%s-%.2d %.2d:%.2d:%.2d GMT",
 	      COOKIE_NAME, cookiebuf, days[tms->tm_wday],
 	      tms->tm_mday, month_snames[tms->tm_mon],
 	      (tms->tm_year >= 100) ? tms->tm_year - 100 : tms->tm_year,
 	      tms->tm_hour, tms->tm_min, tms->tm_sec);
     }
     else
-      sprintf(new_cookie,"%s%s; path=/", COOKIE_NAME, cookiebuf);
+      sprintf(new_cookie,"%.256s%.256s; path=/", COOKIE_NAME, cookiebuf);
 
     table_set(r->headers_out,"Set-Cookie",new_cookie);
     table_set(r->notes, "cookie", cookiebuf); /* log first time */
Index: util.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/util.c,v
retrieving revision 1.37
diff -u -r1.37 util.c
--- util.c	1996/12/28 00:04:53	1.37
+++ util.c	1997/01/01 04:11:56
@@ -768,7 +768,8 @@
 }
 
 char *construct_server(pool *p, const char *hostname, int port) {
-    char portnum[10];		/* Long enough.  Really! */
+    char portnum[22];
+	/* Long enough, even is port > 16 bits for some reason */
   
     if (port == 80)
 	return (char *)hostname;
@@ -1317,7 +1318,7 @@
     int offset;
 
     offset = 0;
-    for (loop=0; loop < (strlen(path) + 1); loop++) {
+    for (loop=0; loop < (strlen(path) + 1) && loop < sizeof(newpath)-1; loop++) {
         if (path[loop] == '/') {
             newpath[offset] = '\\';
             /*
@@ -1328,6 +1329,7 @@
             newpath[offset] = path[loop];
         offset = offset + 1;
     };
+    newpath[sizeof(newpath)-1] = '\0';
     /* Debugging code */
     /* fprintf(stderr, "%s \n", newpath); */
 
Index: util_script.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/util_script.c,v
retrieving revision 1.35
diff -u -r1.35 util_script.c
--- util_script.c	1996/12/28 18:16:10	1.35
+++ util_script.c	1997/01/01 04:22:21
@@ -94,6 +94,7 @@
 	av[idx] = escape_shell_cmd(r->pool, t);
 	av[idx] = t;
 	idx++;
+	if (idx >= APACHE_ARG_MAX-1) break;
 	
 	while ((t = strtok(NULL, "+")) != NULL) {
 	    unescape_url(t);
@@ -101,12 +102,14 @@
 	    av[idx] = escape_shell_cmd(r->pool, t);
 	    av[idx] = t;
 	    idx++;
+	    if (idx >= APACHE_ARG_MAX-1) break;
 	}
+	if (idx >= APACHE_ARG_MAX-1) break;
 	va_end(args);
     }
     va_end(args);
 
-    av[idx] = NULL;
+    av[idx] = '\0';
     return av;
 }
 
Index: modules/proxy/proxy_cache.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/modules/proxy/proxy_cache.c,v
retrieving revision 1.7
diff -u -r1.7 proxy_cache.c
--- proxy_cache.c	1996/11/25 15:22:11	1.7
+++ proxy_cache.c	1997/01/01 06:31:30
@@ -194,7 +194,7 @@
     struct gc_ent *fent;
     int nfiles=0;
 
-    sprintf(cachedir,"%s%s",cachebasedir,cachesubdir);
+    sprintf(cachedir,"%.500s%.500s",cachebasedir,cachesubdir);
     Explain1("GC Examining directory %s",cachedir);
     dir = opendir(cachedir);
     if (dir == NULL)
@@ -206,7 +206,7 @@
     while ((ent = readdir(dir)) != NULL)
     {
 	if (ent->d_name[0] == '.') continue;
-	sprintf(filename, "%s%s", cachedir, ent->d_name);
+	sprintf(filename, "%.500s%.500s", cachedir, ent->d_name);
 	Explain1("GC Examining file %s",filename);
 /* is it a temporary file? */
 	if (strncmp(ent->d_name, "tmp", 3) == 0)
@@ -251,12 +251,12 @@
 	    {
 	    char newcachedir[HUGE_STRING_LEN];
 	    close(fd);
-	    sprintf(newcachedir,"%s%s/",cachesubdir,ent->d_name);
+	    sprintf(newcachedir,"%.500s%.500s/",cachesubdir,ent->d_name);
 	    if(!sub_garbage_coll(r,files,cachebasedir,newcachedir))
 		{
-		sprintf(newcachedir,"%s%s",cachedir,ent->d_name);
+		sprintf(newcachedir,"%.500s%.500s",cachedir,ent->d_name);
 #if TESTING
-		fprintf(stderr,"Would remove directory %s\n",newcachedir);
+		fprintf(stderr,"Would remove directory %.500s\n",newcachedir);
 #else
 		rmdir(newcachedir);
 #endif
@@ -284,7 +284,7 @@
 	    {
 		log_error("proxy: deleting bad cache file", r->server);
 #if TESTING
-		fprintf(stderr,"Would unlink bad file %s\n",filename);
+		fprintf(stderr,"Would unlink bad file %.500s\n",filename);
 #else
 		unlink(filename);
 #endif
@@ -303,8 +303,10 @@
 	fent = palloc(r->pool, sizeof(struct gc_ent));
 	fent->len = buf.st_size;
 	fent->expire = expire;
-	strcpy(fent->file,cachesubdir);
-	strcat(fent->file, ent->d_name);
+	strncpy(fent->file,cachesubdir, sizeof(fent->file)-1);
+	fent->file[sizeof(fent->file)-1] = '\0';
+	strncat(fent->file, ent->d_name, sizeof(fent->file)-strlen(fent->file)-1 );
+	fent->file[sizeof(fent->file)-1] = '\0';
 	*(struct gc_ent **)push_array(files) = fent;
 
 /* accumulate in blocks, to cope with directories > 4Gb */
Index: modules/proxy/proxy_ftp.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/modules/proxy/proxy_ftp.c,v
retrieving revision 1.4
diff -u -r1.4 proxy_ftp.c
--- proxy_ftp.c	1996/12/24 17:23:24	1.4
+++ proxy_ftp.c	1997/01/01 06:46:01
@@ -109,7 +109,7 @@
 int
 proxy_ftp_canon(request_rec *r, char *url)
 {
-    char *user, *password, *host, *path, *parms, *p, sport[7];
+    char *user, *password, *host, *path, *parms, *p, sport[22];
     const char *err;
     int port;
 
@@ -220,12 +220,12 @@
     char buf[IOBUFSIZE];
     char buf2[IOBUFSIZE];
     char *filename;
-    char urlptr[100];
+    char urlptr[HUGE_STRING_LEN];
     long total_bytes_sent;
     register int n, o, w;
     conn_rec *con = r->connection;
 
-    sprintf(buf,"<HTML><HEAD><TITLE>%s</TITLE></HEAD><BODY><H1>Directory %s</H1><HR><PRE>", url, url);
+    sprintf(buf,"<HTML><HEAD><TITLE>%.500s</TITLE></HEAD><BODY><H1>Directory %.500s</H1><HR><PRE>", url, url);
     bwrite(con->client, buf, strlen(buf));
     if (f2 != NULL) bwrite(f2, buf, strlen(buf));
     total_bytes_sent=strlen(buf);
@@ -247,8 +247,8 @@
             do filename--; while (filename[0]!=' ');
             *(filename++)=0;
             *(link++)=0;
-            sprintf(urlptr, "%s%s%s",url,(url[strlen(url)-1]=='/' ? "" : "/"), filename);
-            sprintf(buf2, "%s <A HREF=\"%s\">%s %s</A>\015\012", buf, urlptr, filename, link);
+            sprintf(urlptr, "%.500s%s%.500s",url,(url[strlen(url)-1]=='/' ? "" : "/"), filename);
+            sprintf(buf2, "%.500s <A HREF=\"%.500s\">%.500s %.500s</A>\015\012", buf, urlptr, filename, link);
             strcpy(buf, buf2);
             n=strlen(buf);
         }
@@ -260,8 +260,8 @@
             /* Special handling for '.' and '..' */
             if (!strcmp(filename, "."))
             {
-                sprintf(urlptr, "%s",url);
-                sprintf(buf2, "%s <A HREF=\"%s\">%s</A>\015\012", buf, urlptr, filename);
+                sprintf(urlptr, "%.500s",url);
+                sprintf(buf2, "%.500s <A HREF=\"%.500s\">%.500s</A>\015\012", buf, urlptr, filename);
             }
             else if (!strcmp(filename, ".."))
             {
@@ -269,7 +269,8 @@
                 char newpath[200];
                 char *method, *host, *path, *newfile;
    
-                strcpy(temp,url);
+                strncpy(temp,url,sizeof(temp)-1);
+		temp[sizeof(temp)-1] = '\0';
                 method=temp;
 
                 host=strchr(method,':');
@@ -281,18 +282,19 @@
                 if (path == NULL) path="";
                 else *(path++)=0;
                 
-                strcpy(newpath,path);
+                strncpy(newpath,path,sizeof(newpath)-1);
+		newpath[sizeof(newpath)-1] = '\0';
                 newfile=strrchr(newpath,'/');
                 if (newfile) *(newfile)=0;
                 else newpath[0]=0;
 
-                sprintf(urlptr,"%s://%s/%s",method,host,newpath);
-                sprintf(buf2, "%s <A HREF=\"%s\">%s</A>\015\012", buf, urlptr, filename);
+                sprintf(urlptr,"%.500s://%.500s/%.500s",method,host,newpath);
+                sprintf(buf2, "%.500s <A HREF=\"%.500s\">%.500s</A>\015\012", buf, urlptr, filename);
             }
             else 
             {
-                sprintf(urlptr, "%s%s%s",url,(url[strlen(url)-1]=='/' ? "" : "/"), filename);
-                sprintf(buf2, "%s <A HREF=\"%s\">%s</A>\015\012", buf, urlptr, filename);
+                sprintf(urlptr, "%.500s%s%.500s",url,(url[strlen(url)-1]=='/' ? "" : "/"), filename);
+                sprintf(buf2, "%.500s <A HREF=\"%.500s\">%.500s</A>\015\012", buf, urlptr, filename);
             }
             strcpy(buf, buf2);
             n=strlen(buf);
@@ -313,7 +315,7 @@
             o+=w;
         }
     }
-    sprintf(buf,"</PRE><HR><I><A HREF=\"http://www.apache.org\">%s</A></I></BODY></HTML>", SERVER_VERSION);
+    sprintf(buf,"</PRE><HR><I><A HREF=\"http://www.apache.org\">%.500s</A></I></BODY></HTML>", SERVER_VERSION);
     bwrite(con->client, buf, strlen(buf));
     if (f2 != NULL) bwrite(f2, buf, strlen(buf));
     total_bytes_sent+=strlen(buf);
@@ -640,7 +642,7 @@
         if (bind(dsock, (struct sockaddr *)&server,
             sizeof(struct sockaddr_in)) == -1)
         {
-	    char buff[22];
+	    char buff[256];
 
 	    sprintf(buff, "%s:%d", inet_ntoa(server.sin_addr), server.sin_port);
 	    proxy_log_uerror("bind", buff,
Index: modules/proxy/proxy_http.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/modules/proxy/proxy_http.c,v
retrieving revision 1.9
diff -u -r1.9 proxy_http.c
--- proxy_http.c	1996/12/10 04:16:44	1.9
+++ proxy_http.c	1997/01/01 06:48:48
@@ -66,7 +66,7 @@
 int
 proxy_http_canon(request_rec *r, char *url, const char *scheme, int def_port)
 {
-    char *host, *path, *search, *p, sport[7];
+    char *host, *path, *search, *p, sport[23];
     const char *err;
     int port;
 
Index: modules/proxy/proxy_util.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/modules/proxy/proxy_util.c,v
retrieving revision 1.5
diff -u -r1.5 proxy_util.c
--- proxy_util.c	1996/10/27 18:29:57	1.5
+++ proxy_util.c	1997/01/01 06:59:21
@@ -296,7 +296,7 @@
     for (mon=0; mon < 12; mon++) if (strcmp(month, months[mon]) == 0) break;
     if (mon == 12) return x;
 
-    if (strlen(x) < 31) x = palloc(p, 31);
+    if (strlen(x) < 256) x = palloc(p, 256);
     sprintf(x, "%s, %.2d %s %d %.2d:%.2d:%.2d GMT", wday[wk], mday,
 	    months[mon], year, hour, min, sec);
     return x;



Mime
View raw message