Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 97158 invoked from network); 4 Jan 2004 03:20:24 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 4 Jan 2004 03:20:24 -0000 Received: (qmail 90141 invoked by uid 500); 4 Jan 2004 03:20:02 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 89942 invoked by uid 500); 4 Jan 2004 03:20:01 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 89926 invoked from network); 4 Jan 2004 03:20:01 -0000 Received: from unknown (HELO main.gmane.org) (80.91.224.249) by daedalus.apache.org with SMTP; 4 Jan 2004 03:20:01 -0000 Received: from root by main.gmane.org with local (Exim 3.35 #1 (Debian)) id 1AcyoD-0001f0-00 for ; Sun, 04 Jan 2004 04:20:09 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: dev@httpd.apache.org Received: from sea.gmane.org ([80.91.224.252]) by main.gmane.org with esmtp (Exim 3.35 #1 (Debian)) id 1Acy3A-0001K7-00 for ; Sun, 04 Jan 2004 03:31:32 +0100 Received: from news by sea.gmane.org with local (Exim 3.35 #1 (Debian)) id 1Acy3A-0003Ky-00 for ; Sun, 04 Jan 2004 03:31:32 +0100 From: "Edward Rudd" Subject: httpd-pop3 buffer overflow bug Date: Sat, 03 Jan 2004 20:31:32 -0600 Organization: Me Organized? Lines: 36 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@sea.gmane.org User-Agent: Pan/0.13.4 (She had eyes like strange sins.) Sender: news X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N I have found a major buffer overflow bug... I found this while working on my ftp module for apache 2.0.. which was initially based off of the structure of httpd-pop3. the issue is ap_getword_white_nc moves the pointer in buffer up by the number of characters that were extracted and copied in the the allocated return value (on line 135, command). after a number of iterations through the main while(1) loop, buffer gets continually incremented well beyond the initial 255 characters that were originally allocated to it, and starts overwriting other elements allocated afterward by r->pool. This is my solution to fixing the problem.. Here is the patch.. --- pop_protocol.c.bak Tue Nov 4 15:08:10 2003 +++ pop_protocol.c Sat Jan 3 20:27:35 2004 @@ -110,7 +110,8 @@ int process_pop_connection_internal(request_rec *r, apr_bucket_brigade *bb) { - char *buffer = apr_palloc(r->pool, POP_STRING_LENGTH); + char command_buffer[POP_STRING_LENGTH]; + char *buffer; char *command; int invalid_cmd = 0; apr_size_t len; @@ -124,7 +125,7 @@ while (1) { int res; - + buffer = command_buffer; if ((invalid_cmd > MAX_INVALID_CMD) || ap_rgetline(&buffer, POP_STRING_LENGTH, &len, r, 0, bb) != APR_SUCCESS) {