Full_Name: Frank Denis - Jedi/Sector One
Version: 2.8.8 (OpenBSD-current)
OS: OpenBSD
Submission from: (NULL) (212.198.0.93)
There's an easy to exploit (through .htaccess files) buffer overflow in mod_ssl.
The EAPI's rewrite parser hook skips spaces without checking whether the pointer
went past the end of the buffer.
Fix follows :
--- src/modules/ssl/ssl_engine_compat.c.orig Thu Mar 29 12:21:24 2001
+++ src/modules/ssl/ssl_engine_compat.c Sun Jun 23 09:39:54 2002
@@ -300,16 +300,16 @@
* Skip comment lines
*/
cp = (char *)oline;
- while ((*cp == ' ' || *cp == '\t' || *cp == '\n') && (*cp != NUL))
+ for (i = 0; (*cp == ' ' || *cp == '\t' || *cp == '\n') && (*cp != NUL) &&
++
i < sizeof(caCmd); )
cp++;
- if (*cp == '#' || *cp == NUL)
+ if (*cp == '#' || *cp == NUL || i >= sizeof(caCmd))
return NULL;
/*
* Extract directive name
*/
cp = (char *)oline;
- for (i = 0; *cp != ' ' && *cp != '\t' && *cp != NUL && i < 1024; )
+ for (i = 0; *cp != ' ' && *cp != '\t' && *cp != NUL && i < sizeof(caCmd) -
1
; )
caCmd[i++] = *cp++;
caCmd[i] = NUL;
cpArgs = cp;
Cut/pasting patches in HTML forms often give bad results, so for convenience you
can also fetch the trivial patch from here :
http://www.42-networks.com/ssl_parse_overflow.patch
Best regards,
-Jedi.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
