Re: [PATCH] mod_proxy truncates status line
Adam Sussman wrote: > > Are you 100% sure the buffer is big enough to do this? If the buffer is > > of size "len" the zero will be written past the end of the buffer. > > > > In the current code, "len" is strlen(buffer) so it can be safely assumed > to be one less than the length of the buffer (provided of course that > ap_proxy_string_read can be trusted). The contents of a buffer can never be trusted though - this could be exploited as an overflow and potentially an exploit. Regards, Graham -- - [EMAIL PROTECTED]"There's a moon over Bourbon Street tonight..." smime.p7s Description: S/MIME Cryptographic Signature
Re: [PATCH] mod_proxy truncates status line
> On Sun, Dec 30, 2001 at 02:58:16PM +0200, Graham Leggett wrote: > > Adam Sussman wrote: > > > > > Mod_proxy truncates the status line returned by the proxied > > > server. One character gets snipped off of the end of the > > > status line. > > > > Are you 100% sure the buffer is big enough to do this? If the buffer is > > of size "len" the zero will be written past the end of the buffer. > > > > In the current code, "len" is strlen(buffer) ... Which means that we can just remove the assignment entirely. buffer is already NULL terminated else strlen would be blowing up. In fact, ap_proxy_string_read() NULL terminates the returned buffer. Bill
Re: [PATCH] mod_proxy truncates status line
On Sun, Dec 30, 2001 at 02:58:16PM +0200, Graham Leggett wrote: > Adam Sussman wrote: > > > Mod_proxy truncates the status line returned by the proxied > > server. One character gets snipped off of the end of the > > status line. > > Are you 100% sure the buffer is big enough to do this? If the buffer is > of size "len" the zero will be written past the end of the buffer. > In the current code, "len" is strlen(buffer) so it can be safely assumed to be one less than the length of the buffer (provided of course that ap_proxy_string_read can be trusted). In any case, the specific setting of a null character in a way that truncates valid data is not appropriate here. Buffer and len must be sized appropriatly. I believe that they are correct. -adam > > Index: modules/proxy/proxy_http.c > > === > > RCS file: /home/cvspublic/httpd-2.0/modules/proxy/proxy_http.c,v > > retrieving revision 1.114 > > diff -u -r1.114 proxy_http.c > > --- proxy_http.c19 Dec 2001 16:32:01 - 1.114 > > +++ proxy_http.c29 Dec 2001 00:12:21 - > > @@ -689,7 +689,7 @@ > > "server: ", buffer, NULL)); > > } > > backasswards = 0; > > -buffer[--len] = '\0'; > > +buffer[len] = '\0'; > > > > buffer[12] = '\0'; > > r->status = atoi(&buffer[9]); > > Regards, > Graham > -- > - > [EMAIL PROTECTED] "There's a moon > over Bourbon Street > tonight..." -- "I believe in Kadath in the cold waste, and Ultima Thule. But you cannot prove to me that Harvard Law School actually exists." - Theodora Goss "I'm not like that, I have a cat, I don't need you.. My cat, and about 18 lines of bourne shell code replace you in life." - anonymous Adam Sussman Vidya Media Ventures [EMAIL PROTECTED]
Re: [PATCH] mod_proxy truncates status line
Adam Sussman wrote: > Mod_proxy truncates the status line returned by the proxied > server. One character gets snipped off of the end of the > status line. Are you 100% sure the buffer is big enough to do this? If the buffer is of size "len" the zero will be written past the end of the buffer. > Index: modules/proxy/proxy_http.c > === > RCS file: /home/cvspublic/httpd-2.0/modules/proxy/proxy_http.c,v > retrieving revision 1.114 > diff -u -r1.114 proxy_http.c > --- proxy_http.c19 Dec 2001 16:32:01 - 1.114 > +++ proxy_http.c29 Dec 2001 00:12:21 - > @@ -689,7 +689,7 @@ > "server: ", buffer, NULL)); > } > backasswards = 0; > -buffer[--len] = '\0'; > +buffer[len] = '\0'; > > buffer[12] = '\0'; > r->status = atoi(&buffer[9]); Regards, Graham -- - [EMAIL PROTECTED]"There's a moon over Bourbon Street tonight..." smime.p7s Description: S/MIME Cryptographic Signature
[PATCH] mod_proxy truncates status line
Mod_proxy truncates the status line returned by the proxied server. One character gets snipped off of the end of the status line. -adam Index: modules/proxy/proxy_http.c === RCS file: /home/cvspublic/httpd-2.0/modules/proxy/proxy_http.c,v retrieving revision 1.114 diff -u -r1.114 proxy_http.c --- proxy_http.c19 Dec 2001 16:32:01 - 1.114 +++ proxy_http.c29 Dec 2001 00:12:21 - @@ -689,7 +689,7 @@ "server: ", buffer, NULL)); } backasswards = 0; -buffer[--len] = '\0'; +buffer[len] = '\0'; buffer[12] = '\0'; r->status = atoi(&buffer[9]);