httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: security fixes in 1.2.5's proxy_util?
Date Tue, 05 May 1998 02:51:46 GMT
Brian Behlendorf wrote:
> 
> The only security-related fix I can see in the 1.2.x series in the proxy
> code is from proxy_util.c:
> 
>   http://www.apache.org/websrc/cvsweb.cgi/apache-
> 1.2/src/modules/proxy/proxy_util.c.diff?r1=1.17&r2=1.17.2.1
> 
> In which we see the following code snippet introduced:
> 
> +    if (strlen(x)+1 < 30) {
> +        x = palloc(p, 30);
> +    }
> 
> Yet in 1.3's proxy_util.c we see:
> 
>     if (strlen(x) < 30)
>         x = ap_palloc(p, 30);
> 
> I have a hunch that the 1.2.5 code is correct, and the 1.3 code has an
> off-by-one error, since strlen() doesn't count the null() at the end of the
> string, whereas it's necessary to count it for palloc() and snprintf().
> But then again I'm not sure why we're measuring it if we're just trashing
> it later.... do we even need that if()?
> 

Hmmm... thinking about this, it looks like we want to ensure that
x is at least 30bytes big. If strlen(x) is 29, that means that
the total storage of x is 30bytes since strlen doesn't count the
null. However, the 1.3 code will go ahead and alloc the space even
when it doesn't need to, whereas the 1.2.5 code won't. Definately
a bug, but I can't see how it's security related :/

I'll commit.

-- 
===========================================================================
   Jim Jagielski   |||   jim@jaguNET.com   |||   http://www.jaguNET.com/
            "That's no ordinary rabbit... that's the most foul,
            cruel and bad-tempered rodent you ever laid eyes on"

Mime
View raw message