Package: motion Version: 3.2.9-2 Severity: minor Hi, there is an off-by-one programming error in webhttpd: From webhttpd.c: 1950 static int read_client(int client_socket, void *userdata, char *auth) .... 1954 char buffer[1024] = {'\0'}; 1955 int length = 1024; .... 1963 int nread = 0, readb = -1; 1964· 1965 nread = read (client_socket, buffer, length); 1966· 1967 if (nread <= 0) { 1968 motion_log(LOG_ERR, 1, "httpd First read"); 1969 pthread_mutex_unlock(&httpd_mutex); 1970 return -1; 1971 } 1972 else { 1973 char method[sizeof (buffer)]; 1974 char url[sizeof (buffer)]; 1975 char protocol[sizeof (buffer)]; 1976 char *authentication=NULL; 1977· 1978 buffer[nread] = '\0';
This function reads an HTTP request by a client connecting to the administration port of motion.· If the client send exactly or more than 1024 as an HTTP request line 1978 will write one byte too far, to buffer[1024] as read in line 1965 will return 1024 bytes. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpNp6mNJeHcx.pgp
Description: PGP signature