marc 98/01/05 12:56:29
Modified: src Tag: APACHE_1_2_X util.c
Log:
Eliminate (content sensitive) buffer overflow in cfg_getline. I
have tested it and this hole is exploitable.
Reviewed by: Martin Kraemer, Mark J Cox, Dean Gaudet, Randy Terbush
Revision Changes Path
No revision
No revision
1.52.2.4 +6 -1 apache/src/util.c
Index: util.c
===================================================================
RCS file: /export/home/cvs/apache/src/util.c,v
retrieving revision 1.52.2.3
retrieving revision 1.52.2.4
diff -u -r1.52.2.3 -r1.52.2.4
--- util.c 1997/12/30 18:59:32 1.52.2.3
+++ util.c 1998/01/05 20:56:28 1.52.2.4
@@ -569,6 +569,11 @@
if(c == EOF)
return 1;
+ if(n < 2) {
+ /* too small, assume caller is crazy */
+ return 1;
+ }
+
while(1) {
if((c == '\t') || (c == ' ')) {
s[i++] = ' ';
@@ -578,7 +583,7 @@
if(c == CR) {
c = getc(f);
}
- if(c == EOF || c == 0x4 || c == LF || i == (n-1)) {
+ if(c == EOF || c == 0x4 || c == LF || i >= (n-2)) {
/* blast trailing whitespace */
while(i && (s[i-1] == ' ')) --i;
s[i] = '\0';
