I have found a major buffer overflow bug... I found this while working on my ftp module for apache 2.0.. <http://outoforder.cc/projects/apache/> which was initially based off of the structure of httpd-pop3.
the issue is ap_getword_white_nc moves the pointer in buffer up by the number of characters that were extracted and copied in the the allocated return value (on line 135, command). after a number of iterations through the main while(1) loop, buffer gets continually incremented well beyond the initial 255 characters that were originally allocated to it, and starts overwriting other elements allocated afterward by r->pool. This is my solution to fixing the problem.. Here is the patch.. --- pop_protocol.c.bak Tue Nov 4 15:08:10 2003 +++ pop_protocol.c Sat Jan 3 20:27:35 2004 @@ -110,7 +110,8 @@ int process_pop_connection_internal(request_rec *r, apr_bucket_brigade *bb) { - char *buffer = apr_palloc(r->pool, POP_STRING_LENGTH); + char command_buffer[POP_STRING_LENGTH]; + char *buffer; char *command; int invalid_cmd = 0; apr_size_t len; @@ -124,7 +125,7 @@ while (1) { int res; - + buffer = command_buffer; if ((invalid_cmd > MAX_INVALID_CMD) || ap_rgetline(&buffer, POP_STRING_LENGTH, &len, r, 0, bb) != APR_SUCCESS) {