httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: svn commit: r1748653 - /httpd/httpd/trunk/modules/filters/sed0.c
Date Thu, 16 Jun 2016 16:11:34 GMT
Sorry - false alarm, per the open spec for limits.h the patch -is-
correct...

{PATH_MAX}Maximum number of bytes in a pathname, including the terminating
null character.
Minimum Acceptable Value: {_POSIX_PATH_MAX}
[XSI] [image: [Option Start]] Minimum Acceptable Value:
{_XOPEN_PATH_MAX} [image:
[Option End]]


On Thu, Jun 16, 2016 at 11:06 AM, William A Rowe Jr <wrowe@rowe-clan.net>
wrote:

> ATTN Jim,
>
> I presume you didn't read the note below?
>
>
> On Thu, Jun 16, 2016 at 6:59 AM, William A Rowe Jr <wrowe@rowe-clan.net>
> wrote:
>
>> This looks inverted.  The buffer should be MAX+1.
>>
>> This logic error leads to paths valid in one context, which fail later in
>> the next bit of code.
>> On Jun 16, 2016 12:17 AM, <jailletc36@apache.org> wrote:
>>
>>> Author: jailletc36
>>> Date: Thu Jun 16 05:17:35 2016
>>> New Revision: 1748653
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1748653&view=rev
>>> Log:
>>> Fix a potential buffer overflow.
>>>
>>> Modified:
>>>     httpd/httpd/trunk/modules/filters/sed0.c
>>>
>>> Modified: httpd/httpd/trunk/modules/filters/sed0.c
>>> URL:
>>> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/sed0.c?rev=1748653&r1=1748652&r2=1748653&view=diff
>>>
>>> ==============================================================================
>>> --- httpd/httpd/trunk/modules/filters/sed0.c (original)
>>> +++ httpd/httpd/trunk/modules/filters/sed0.c Thu Jun 16 05:17:35 2016
>>> @@ -588,7 +588,7 @@ jtcommon:
>>>                      command_errf(commands, SEDERR_SMMES,
>>> commands->linebuf);
>>>                      return -1;
>>>                  }
>>> -                if (text(commands, fnamebuf, &fnamebuf[APR_PATH_MAX])
>>> == NULL) {
>>> +                if (text(commands, fnamebuf, &fnamebuf[APR_PATH_MAX-1])
>>> == NULL) {
>>>                      command_errf(commands, SEDERR_FNTL,
>>> commands->linebuf);
>>>                      return -1;
>>>                  }
>>> @@ -617,7 +617,7 @@ jtcommon:
>>>                  command_errf(commands, SEDERR_SMMES, commands->linebuf);
>>>                  return -1;
>>>              }
>>> -            if (text(commands, fnamebuf, &fnamebuf[APR_PATH_MAX]) ==
>>> NULL) {
>>> +            if (text(commands, fnamebuf, &fnamebuf[APR_PATH_MAX-1]) ==
>>> NULL) {
>>>                  command_errf(commands, SEDERR_FNTL, commands->linebuf);
>>>                  return -1;
>>>              }
>>>
>>>
>>>
>

Mime
View raw message