httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: Might as well be a CERT warning.
Date Sat, 11 Jan 1997 04:15:35 GMT
On Fri, 10 Jan 1997, Brian Behlendorf wrote:

> 
> Wonderful.
> 
> The question is, should we release a patch for 1.1.1?  I think so, since
> it looks like it'll be an easy fix.
> 
> COMMENTS PLEASE.

Yup, release a patch; in fact, get a patch out now, linked to from
the main web page and ask him to add a pointer to the "official"
fix.  Note that:
	- I don't think it is the most serious hole in the code
	- I am very doubtful about how easy (or possible) this is to
	  exploit because of several things, including what he mentions.
	- I think there will be more holes found quite soon after
	  the release of this advisory, when people think to start 
	  looking.  It won't take long to find others.  

The suggested patch looks fine, and isn't worth arguing about too
much since it will be fixed with snprintf.

> Fix Information
> ~~~~~~~~~~~~~~~
> We suggest increasing the buffer length to handle 255 character hostnames,
> and verifying that hostname length is within acceptable limits.  Apply the
> following diff, recompile, and then kill and restart your httpd in order
> to fix Apache 1.1.1:
> 
> *** mod_cookies.c       Tue Jan  7 14:38:15 1997
> --- /usr/tmp/mod_cookies.c      Tue Jan  7 14:38:11 1997
> ***************
> *** 119,125 ****
>   void make_cookie(request_rec *r)
>   {
>       struct timeval tv;
> !     char new_cookie[100];     /* blurgh */
>       char *dot;
>       const char *rname = pstrdup(r->pool, 
>                                 get_remote_host(r->connection, r->per_dir_config,
> --- 119,125 ----
>   void make_cookie(request_rec *r)
>   {
>       struct timeval tv;
> !     char new_cookie[1024];    /* blurgh */
>       char *dot;
>       const char *rname = pstrdup(r->pool, 
>                                 get_remote_host(r->connection, r->per_dir_config,
> ***************
> *** 128,133 ****
> --- 128,136 ----
>       struct timezone tz = { 0 , 0 };
>   
>       if ((dot = strchr(rname,'.'))) *dot='\0'; /* First bit of hostname */
> +     if (strlen (rname) > 255)
> +       rname[256] = 0;
> + 
>       gettimeofday(&tv, &tz);
>       sprintf(new_cookie,"%s%s%d%ld%d; path=/",
>           COOKIE_NAME, rname,


Mime
View raw message