httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: CVE-2009-3094, CVE-2009-3095: mod_proxy_ftp issues
Date Sat, 12 Sep 2009 20:43:29 GMT
On Fri, 11 Sep 2009, Joe Orton wrote:
> +    char *p = ap_strchr(reply, '('), *ep, *term;
> +    long port;
> +
> +    /* Reply syntax per RFC 2428: "229 blah blah (|||port|)" where '|'
> +     * can be any character in ASCII from 33-126, obscurely.  Verify
> +     * the syntax. */
> +    if (p == NULL || p[1] != p[2] || p[1] != p[3]
> +        || (ep = strchr(p + 4, ')')) == NULL
> +        || ep == p + 4 || ep[-1] != p[1]) {
> +        return 0;
> +    }

Shouldn't you also check for p[1] != 0 before p[1] != p[2], to catch the 
case where reply ends after the opening bracket?

Apart from that, both this patch and the one you have already 
commited look fine. I haven't actually tested them, though.

Stefan

Mime
View raw message