www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Charles Fu <c...@klab.caltech.edu>
Subject general/1847: ap_cpystrn has off by one error
Date Fri, 20 Feb 1998 10:51:20 GMT

>Number:         1847
>Category:       general
>Synopsis:       ap_cpystrn has off by one error
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Fri Feb 20 03:00:00 PST 1998
>Originator:     ccwf@klab.caltech.edu
>Release:        1.3b5
Linux 2.0.33 i586 w/ glibc 2.0.5c
In the normal case where dst_size doesn't end the copy, the null-terminated
string is copied, the pointer advanced, another null added, and the pointer
to the extra null is returned.
Try doing a "RewriteCond %{REQUEST_METHOD} =GET", turn on the rewrite log, and
issue a GET request to the server.  The rewrite log will show that "input=''"
because the ap_cpystrn error results in incorrect concatenation.  (The input
winds up being \0GET\0\0\0.)
Try this replacement:

API_EXPORT(char *) ap_cpystrn(char *dst, const char *src, size_t dst_size)

    char *d, *end;

    if (!dst_size)
        return (dst);

    d = dst;
    end = dst + dst_size - 1;

    for (; d < end; ++d, ++src)
	if (!(*d = *src))
	    return (d);

    *d = '\0';	/* always null terminate */

    return (d);

[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]

View raw message