martin 98/05/27 08:29:30
Modified: src CHANGES
src/modules/proxy proxy_ftp.c
Log:
[SECURITY] A possible buffer overflow in the ftp proxy code was fixed.
(Large FTP responses could overflow a buffer)
Revision Changes Path
1.865 +3 -0 apache-1.3/src/CHANGES
Index: CHANGES
===================================================================
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.864
retrieving revision 1.865
diff -u -u -r1.864 -r1.865
--- CHANGES 1998/05/27 14:57:36 1.864
+++ CHANGES 1998/05/27 15:29:28 1.865
@@ -1,5 +1,8 @@
Changes with Apache 1.3b8
+ *) [SECURITY] A possible buffer overflow in the ftp proxy was fixed.
+ [Martin Kraemer]
+
*) Transform the configure message "You need root priviledges for suEXEC"
from a fatal error into a (more friendly) warning because the building
("make") of Apache we can allow, of course. Root priviledges are needed
1.59 +9 -9 apache-1.3/src/modules/proxy/proxy_ftp.c
Index: proxy_ftp.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/modules/proxy/proxy_ftp.c,v
retrieving revision 1.58
retrieving revision 1.59
diff -u -u -r1.58 -r1.59
--- proxy_ftp.c 1998/05/21 03:37:47 1.58
+++ proxy_ftp.c 1998/05/27 15:29:30 1.59
@@ -190,7 +190,7 @@
int len, status;
char linebuff[100], buff[5];
- len = ap_bgets(linebuff, 100, f);
+ len = ap_bgets(linebuff, sizeof linebuff, f);
if (len == -1)
return -1;
/* check format */
@@ -209,7 +209,7 @@
memcpy(buff, linebuff, 3);
buff[3] = ' ';
do {
- len = ap_bgets(linebuff, 100, f);
+ len = ap_bgets(linebuff, sizeof linebuff, f);
if (len == -1)
return -1;
if (linebuff[len - 1] != '\n') {
@@ -229,10 +229,10 @@
{
int len, status;
char linebuff[100], buff[5];
- char *mb = msgbuf;
- int ml = msglen;
+ char *mb = msgbuf,
+ *me = &msgbuf[msglen];
- len = ap_bgets(linebuff, 100, f);
+ len = ap_bgets(linebuff, sizeof linebuff, f);
if (len == -1)
return -1;
if (len < 5 || !isdigit(linebuff[0]) || !isdigit(linebuff[1]) ||
@@ -241,7 +241,7 @@
else
status = 100 * linebuff[0] + 10 * linebuff[1] + linebuff[2] - 111 * '0';
- mb = ap_cpystrn(mb, linebuff+4, len-4 < ml ? len-4 : ml);
+ mb = ap_cpystrn(mb, linebuff+4, me - mb);
if (linebuff[len - 1] != '\n')
(void)ap_bskiplf(f);
@@ -250,13 +250,13 @@
memcpy(buff, linebuff, 3);
buff[3] = ' ';
do {
- len = ap_bgets(linebuff, 100, f);
+ len = ap_bgets(linebuff, sizeof linebuff, f);
if (len == -1)
return -1;
if (linebuff[len - 1] != '\n') {
(void)ap_bskiplf(f);
}
- mb = ap_cpystrn(mb, linebuff+4, len-4 < ml ? len-4 : ml);
+ mb = ap_cpystrn(mb, linebuff+4, me - mb);
} while (memcmp(linebuff, buff, 4) != 0);
}
return status;
@@ -352,7 +352,7 @@
hostlen = 0;
while (!con->aborted) {
- n = ap_bgets(buf, IOBUFSIZE, f);
+ n = ap_bgets(buf, sizeof buf, f);
if (n == -1) { /* input error */
if (f2 != NULL)
f2 = ap_proxy_cache_error(c);
