https://bz.apache.org/bugzilla/show_bug.cgi?id=69945
Bug ID: 69945
Summary: mod_nw_ssl: potential buffer overflow via strcpy()
into fixed-size key buffer
Product: Apache httpd-2
Version: 2.4.66
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: mpm_netware
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
In modules/arch/netware/mod_nw_ssl.c the functions set_secure_listener()
and set_secure_upgradeable_listener() copy the configuration directive
parameter "key" into a fixed-size buffer using strcpy():
char key[MAX_KEY]; /* MAX_KEY = 80 */
strcpy(new->key, key);
The value of "key" originates from the SecureListen / NWSSLUpgradeable
configuration directives and is not length-checked before copying.
While this requires local configuration access and affects the legacy
NetWare platform, it represents a classic fixed-size buffer overflow
pattern and could be avoided by using a bounded copy (e.g. apr_cpystrn)
or validating the input length.
This report is for defensive hardening and code robustness.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
