Hi, On Thu, Sep 4, 2014 at 12:52 PM, <jkal...@apache.org> wrote: > Author: jkaluza > Date: Thu Sep 4 10:52:24 2014 > New Revision: 1622450 > > URL: http://svn.apache.org/r1622450 > Log: > ab: increase request and response header size to 8192 bytes, > fix potential buffer-overflow in Server: header handling. > > Modified: > httpd/httpd/trunk/support/ab.c > > Modified: httpd/httpd/trunk/support/ab.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/support/ab.c?rev=1622450&r1=1622449&r2=1622450&view=diff > ============================================================================== > --- httpd/httpd/trunk/support/ab.c (original) > +++ httpd/httpd/trunk/support/ab.c Thu Sep 4 10:52:24 2014 [snip] > @@ -1516,12 +1516,14 @@ static void read_connection(struct conne > * this is first time, extract some interesting info > */ > char *p, *q; > + size_t len = 0; > p = strstr(c->cbuff, "Server:"); > q = servername; > if (p) { > p += 8; > - while (*p > 32) > - *q++ = *p++; > + /* -1 to not overwrite last '\0' byte */ > + while (*p > 32 && len++ < sizeof(servername) - 1)
Maybe ++len above (instead of len++) since we need to leave room for the final '\0' below? Otherwise we may still overflow when writing it to servername[sizeof(servername)]... > + *q++ = *p++; > } > *q = 0; > } > Regards, Yann.
