httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Edward Rudd" <ed...@omegaware.com>
Subject httpd-pop3 buffer overflow bug
Date Sun, 04 Jan 2004 02:31:32 GMT
I have found a major buffer overflow bug... I found this while working on
my ftp module for apache 2.0.. <http://outoforder.cc/projects/apache/>
 which was initially based off of the structure of httpd-pop3.

the issue is ap_getword_white_nc moves the pointer in buffer up by the
number of characters that were extracted and copied in the the allocated
return value (on line 135, command). after a number of iterations through
the main while(1) loop, buffer gets continually incremented well beyond
the initial 255 characters that were originally allocated to it, and
starts overwriting other elements allocated afterward by r->pool.

This is my solution to fixing the problem..

Here is the patch..
--- pop_protocol.c.bak  Tue Nov  4 15:08:10 2003
+++ pop_protocol.c      Sat Jan  3 20:27:35 2004
@@ -110,7 +110,8 @@

 int process_pop_connection_internal(request_rec *r, apr_bucket_brigade *bb)
 {
-    char *buffer = apr_palloc(r->pool, POP_STRING_LENGTH);
+    char command_buffer[POP_STRING_LENGTH];
+    char *buffer;
     char *command;
     int invalid_cmd = 0;
     apr_size_t len;
@@ -124,7 +125,7 @@

     while (1) {
         int res;
-
+       buffer = command_buffer;
         if ((invalid_cmd > MAX_INVALID_CMD) ||
             ap_rgetline(&buffer, POP_STRING_LENGTH, &len, r, 0, bb) != APR_SUCCESS)
         {



Mime
View raw message