coar 98/07/01 03:34:21
Modified: src/support suexec.c Log: Redo the 'too few arguments' error reporting in a way that doesn't do excessive unsafe string copying (which Marc pointed out was a flaw in the last edit). Revision Changes Path 1.41 +27 -1 apache-1.3/src/support/suexec.c Index: suexec.c =================================================================== RCS file: /export/home/cvs/apache-1.3/src/support/suexec.c,v retrieving revision 1.40 retrieving revision 1.41 diff -u -r1.40 -r1.41 --- suexec.c 1998/06/20 11:07:38 1.40 +++ suexec.c 1998/07/01 10:34:20 1.41 @@ -261,10 +261,36 @@ if (argc < 4) { char msgbuf[2048]; int i; + int clen; + static char *omsg = " {buffer overflow}"; + int olen = strlen(omsg); ap_snprintf(msgbuf, sizeof(msgbuf), "too few (%d) arguments:", argc); + clen = strlen(msgbuf); for (i = 0; i < argc; i++) { - ap_snprintf(msgbuf, sizeof(msgbuf), "%s [%s]", msgbuf, argv[i]); + int alen = strlen(argv[i]) + 4; + int rlen = sizeof(msgbuf) - clen - 1; + int oflow = (alen > rlen); + + alen = oflow ? rlen : alen; + if (rlen > 1) { + msgbuf[clen++] = ' '; + alen--; + } + if (rlen > 2) { + msgbuf[clen++] = '['; + alen--; + } + ap_cpystrn(&msgbuf[clen], argv[i], alen); + if (oflow) { + ap_cpystrn(&msgbuf[sizeof(msgbuf) - olen - 1], omsg, olen + 1); + break; + } + else { + clen += alen - 2; + msgbuf[clen++] = ']'; + msgbuf[clen] = '\0'; + } } log_err("%s\n", msgbuf); exit(101);