On 10/18/2009 09:35 PM, [email protected] wrote: > Author: sf > Date: Sun Oct 18 19:35:42 2009 > New Revision: 826506 > > URL: http://svn.apache.org/viewvc?rev=826506&view=rev > Log: > htdigest: Fix possible overflow in command line processing. htdigest is not > supposed to be suid save, therefore not treated as a security issue. > > CVE-2005-1344 > Submitted by: Adam Conrad > Reviewed by: Stefan Fritsch > > Modified: > httpd/httpd/trunk/support/htdigest.c > > Modified: httpd/httpd/trunk/support/htdigest.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/support/htdigest.c?rev=826506&r1=826505&r2=826506&view=diff > ============================================================================== > --- httpd/httpd/trunk/support/htdigest.c (original) > +++ httpd/httpd/trunk/support/htdigest.c Sun Oct 18 19:35:42 2009 > @@ -222,9 +222,11 @@ > apr_strerror(rv, errmsg, sizeof errmsg)); > exit(1); > } > + apr_cpystrn(user, argv[4], sizeof(user)); > + apr_cpystrn(realm, argv[3], sizeof(realm));
Don't we still have an overflow? If argv[3] and argv[4] are of size MAX_STRING_LEN (which is sizeof(user) and sizeof(realm) we still have a sprintf(string, "%s:%s:%s", user, realm, pw); in line 147 with string, user, realm and pw all of size MAX_STRING_LEN. I guess string should be char[3 * MAX_STRING_LEN] instead of char[MAX_STRING_LEN]. Regards RĂ¼diger
