DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=40894>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40894 Summary: Off-by-one error in copying strings leads to some FTP sites that don't load Product: Apache httpd-2 Version: 2.2.3 Platform: All URL: ftp://ftp.gnupg.org/gcrypt/alpha/libgcrypt/ OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: mod_proxy AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] In mod_proxy_ftp, responses from the FTP server over the control channel are copied from a bucket brigade to a buffer using apr_cpystrn() incorrectly. The length parameter is taken directly from the bucket brigade, which represents the actual number of data bytes. However, apr_copystrn() always NULL-terminates strings, meaning it uses the last byte inside the given length for a NULL, and not for the last byte of data from the FTP server. Usually, this is not a problem, since it only cuts off a period at the end of a sentence, or the LF of a CRLF pair. However, it breaks some sites that return their responses as such: Packet one: "250-" Packet two: "Welcome to our FTP site." Packet three: "\r\n" This is passed back to the caller as "250Welcome to our FTP site\r". Since the caller checks that the fourth character is either '-' or ' ', the caller returns an error. Example URL given above in the appropriate field. Since the patch is so short, i'm inlining it here: --- proxy_util.c.orig 2006-11-04 08:15:20.000000000 +0100 +++ proxy_util.c 2006-11-04 08:13:21.000000000 +0100 @@ -967,6 +967,13 @@ if (memchr(response, APR_ASCII_LF, len)) { found = 1; } + + /* For the code below, apr_cpystrn() always NULL terminates + * the destination string, meaning we need to make len one + * byte longer to accommodate for that. Just to be paranoid, + * check for an integer overflow. */ + if (len+1 > len) len++; + /* concat strings until buff is full - then throw the data away */ if (len > ((bufflen-1)-(pos-buff))) { len = (bufflen-1)-(pos-buff); -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
