httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject [PATCH] mod_negotiation small bug fix
Date Fri, 19 Dec 1997 09:20:39 GMT
The strip_paren_comments() function does the wrong thing when given a line
with an unterminated "-quoted string.  It increments the variable hdr
twice, passing the \0 terminator.

This doesn't cause a buffer overflow exploit, and but maybe can cause a
segv.

Dean

Index: modules/standard/mod_negotiation.c
===================================================================
RCS file: /export/home/cvs/apachen/src/modules/standard/mod_negotiation.c,v
retrieving revision 1.61
diff -u -r1.61 mod_negotiation.c
--- mod_negotiation.c	1997/10/22 20:30:26	1.61
+++ mod_negotiation.c	1997/12/19 09:11:35
@@ -645,10 +645,11 @@
 
     while (*hdr) {
         if (*hdr == '"') {
-            while (*++hdr && *hdr != '"') {
-                continue;
-            }
-            ++hdr;
+	    hdr = strchr(hdr, '"');
+	    if (hdr == NULL) {
+		return;
+	    }
+	    ++hdr;
         }
         else if (*hdr == '(') {
             while (*hdr && *hdr != ')') {



Mime
View raw message